Preview only show first 10 pages with watermark. For full document please download

Configuration Guide Blackberry Enterprise Service 10 Version: 10.2

   EMBED


Share

Transcript

Version: 10.2 Configuration Guide BlackBerry Enterprise Service 10 Published: 2015-02-27 SWD-20150227164548686 Contents 1 Introduction......................................................................................................................................7 About this guide...................................................................................................................................................................8 What is BlackBerry Enterprise Service 10?............................................................................................................................9 Key features of BlackBerry Enterprise Service 10........................................................................................................... 9 Configuring BlackBerry Enterprise Service 10 for the first time............................................................................................ 11 2 Setting up the BlackBerry Enterprise Service 10 domain................................................................. 15 BlackBerry Enterprise Service 10 administration consoles.................................................................................................. 16 Log in to the BlackBerry Device Service console...........................................................................................................16 Log in to the Universal Device Service console ............................................................................................................ 17 Log in to the BlackBerry Management Studio console.................................................................................................. 17 Troubleshooting: The browser does not trust the website's security certificate..............................................................18 Use the BES10 Configuration Tool............................................................................................................................... 18 Managing the web keystores.............................................................................................................................................. 19 Change the password for the web keystores.................................................................................................................19 Import a new SSL certificate into the web keystores..................................................................................................... 20 About licensing.................................................................................................................................................................. 21 Configuring connection types and port numbers................................................................................................................. 22 Outbound ports: Managing BlackBerry devices............................................................................................................22 Outbound ports: Managing iOS and Android devices.................................................................................................... 23 Outbound ports: Device data....................................................................................................................................... 25 Outbound ports: Work space-enabled devices on a work Wi-Fi network........................................................................ 26 Internal ports: Database connections...........................................................................................................................26 Internal ports: Devices and components...................................................................................................................... 27 Internal ports: Components and administration consoles............................................................................................. 28 Internal ports: Administration consoles and browsers...................................................................................................29 Internal ports: BlackBerry Administration Service instances......................................................................................... 29 Ports and proxy configuration...................................................................................................................................... 31 Connecting BlackBerry Enterprise Service 10 to a company directory................................................................................. 34 Connect the BlackBerry Device Service to Microsoft Active Directory .......................................................................... 34 Connect the BlackBerry Device Service to an LDAP directory ...................................................................................... 36 Connect the Universal Device Service to Microsoft Active Directory.............................................................................. 38 Connect the Universal Device Service to an LDAP directory..........................................................................................38 Configuring single sign-on for the BlackBerry Enterprise Service 10 consoles...................................................................... 40 Prerequisites...............................................................................................................................................................40 Configure constrained delegation for the Microsoft Active Directory account to support single sign-on.......................... 41 Configure single sign-on for the Administration Console............................................................................................... 42 Configure single sign-on for the BlackBerry Administration Service.............................................................................. 43 BlackBerry Administration Service URL for single sign-on............................................................................................ 43 Assigning the device management role for Android devices and iOS devices....................................................................... 44 Assign the device management role to a different instance or high availability pair........................................................44 Configuring high availability for BlackBerry Enterprise Service 10........................................................................................46 Architecture: High availability for BlackBerry Enterprise Service 10..............................................................................46 Components that support high availability failover........................................................................................................48 Components that do not support high availability failover............................................................................................. 50 Health parameters and the availability of BlackBerry Enterprise Service 10 components.............................................. 52 Prerequisites: Installing a standby instance of the core components.............................................................................53 Install a standby instance of the core components....................................................................................................... 54 Fail over device service manually................................................................................................................................. 56 Switch the primary and standby instances................................................................................................................... 57 Tasks to perform after an automatic or manual failover................................................................................................ 57 Turn off automatic failover...........................................................................................................................................58 Change the active Administration Console instance..................................................................................................... 59 Monitoring a high availability configuration.................................................................................................................. 59 Configuring high availability for BlackBerry Enterprise Service 10 databases....................................................................... 61 Database mirroring for both BlackBerry Enterprise Service 10 databases..................................................................... 61 System requirements: Database mirroring................................................................................................................... 62 Prerequisites: Configuring database mirroring..............................................................................................................63 Configuring database mirroring................................................................................................................................... 64 Configuring BlackBerry Enterprise Service 10 to support database mirroring................................................................ 66 Using gatekeeping to control which devices can access Microsoft ActiveSync..................................................................... 68 Configure Microsoft Exchange permissions for gatekeeping......................................................................................... 68 Configure Microsoft IIS permissions for gatekeeping.................................................................................................... 69 Create a Microsoft ActiveSync configuration in the Universal Device Service.................................................................70 Turn on Microsoft ActiveSync gatekeeping for BlackBerry devices............................................................................... 71 Monitoring BlackBerry Enterprise Service 10 components.................................................................................................. 73 Supported SNMP operations....................................................................................................................................... 73 System requirements: SNMP monitoring..................................................................................................................... 74 Configuring SNMP monitoring..................................................................................................................................... 75 Configuring SNMP traps.............................................................................................................................................. 76 Troubleshooting.......................................................................................................................................................... 76 Restarting BlackBerry Enterprise Service 10 components...................................................................................................78 Restarting one component.......................................................................................................................................... 78 Restarting all components........................................................................................................................................... 78 3 Setting up BlackBerry Device Service components..........................................................................79 Changing the security settings of the BlackBerry Administration Service............................................................................. 80 Configuring Microsoft Active Directory authentication in an environment that includes a resource forest ...................... 80 Changing password settings for BlackBerry Administration Service authentication....................................................... 80 Regenerate the system credentials for the BlackBerry Administration Service ............................................................. 81 Configuring multiple BlackBerry Administration Service instances...................................................................................... 82 Change the name of the BlackBerry Administration Service pool.................................................................................. 82 Configuring the BlackBerry Administration Service to use a proxy server............................................................................. 84 Configuring proxy selection for the BlackBerry Administration Service..........................................................................84 Configuring the BlackBerry Administration Service to authenticate with a proxy server................................................. 86 Connect to an SMTP server to send email notifications to users...........................................................................................88 Create an activation email message to test the SMTP...................................................................................................88 Creating a shared network folder for distributing apps to devices.........................................................................................90 Specify a shared network folder................................................................................................................................... 90 Configuring how data is pushed to devices..........................................................................................................................92 Configuring the BlackBerry MDS Connection Service and the Enterprise Management Web Service to use a proxy server......................................................................................................................................................................... 92 Specifying a BlackBerry MDS Connection Service as a central push server................................................................... 94 Restricting the push application content that users can receive....................................................................................94 Managing push application requests........................................................................................................................... 96 Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices........................................... 98 Disaster recovery planning for the BlackBerry Device Service........................................................................................... 102 Backing up the BlackBerry Configuration Database................................................................................................... 102 Back up the shared network folder............................................................................................................................ 102 Restore the BlackBerry Device Service...................................................................................................................... 102 4 Setting up Universal Device Service components.......................................................................... 105 Connecting the BlackBerry Secure Connect Service to the BlackBerry Infrastructure through a TCP proxy server.............. 106 Configure the BlackBerry Secure Connect Service to connect to the BlackBerry Infrastructure through a TCP proxy server....................................................................................................................................................................... 106 Configure the HTTP or HTTPS proxy server settings.......................................................................................................... 108 Configure SMTP server settings........................................................................................................................................ 109 Configuring how the Universal Device Service contacts devices that are not responding.................................................... 110 Configure how the Universal Device Service contacts devices that are not responding................................................ 110 Enabling the Secure Work Space for iOS devices and Android devices...............................................................................112 Enable and test the work space connection............................................................................................................... 112 Importing the root certificate of the Universal Device Service to the Microsoft Exchange Server.................................. 113 Configure the BlackBerry Work Connect Notification Service......................................................................................115 Configure the standby instance to support email notifications for work space-enabled iOS devices............................. 116 Understanding and installing APNs certificates................................................................................................................ 117 About APNs.............................................................................................................................................................. 117 Request a signed CSR from BlackBerry..................................................................................................................... 117 Check the status of your request for a signed CSR from BlackBerry............................................................................ 118 Download the signed CSR from BlackBerry and save it...............................................................................................118 Request an APNs certificate from Apple.................................................................................................................... 119 Upload the APNs certificate...................................................................................................................................... 119 Import the .pfx file into the certificate store................................................................................................................ 119 Change the private key access permissions of the certificate......................................................................................120 Verify the status of the APNs certificate..................................................................................................................... 121 Test the APNs connection......................................................................................................................................... 121 Troubleshooting APNs...............................................................................................................................................121 Configuring device communication settings......................................................................................................................123 Polling intervals for device communication settings ...................................................................................................123 Configure the device communication settings............................................................................................................ 123 Installing an SSL certificate for the Communication Module.............................................................................................. 124 Install or update an SSL certificate for the Communication Module.............................................................................124 Requesting an SSL certificate for the Communication Module....................................................................................125 5 Setting up BlackBerry Management Studio................................................................................... 127 Adding additional domains to BlackBerry Management Studio......................................................................................... 128 Default port numbers for supported domains............................................................................................................. 128 Add, remove, or recertify a domain............................................................................................................................ 129 Change the listening port for BlackBerry Management Studio........................................................................................... 131 Change the search settings for BlackBerry Management Studio........................................................................................132 Change the directory support for creating users in BlackBerry Management Studio...........................................................133 Changing the label for a Service in BlackBerry Management Studio.................................................................................. 134 6 Product documentation................................................................................................................ 135 7 Provide feedback..........................................................................................................................138 8 Glossary....................................................................................................................................... 139 9 Legal notice..................................................................................................................................141 1 Introduction This section provides information about the purpose of this guide, a description of the key features of BlackBerry Enterprise Service 10, and guidance for completing various configuration tasks. Configuration Guide Introduction About this guide BlackBerry Enterprise Service 10 helps you manage BlackBerry devices, Android devices, and iOS devices for your organization. This guide provides instructions for configuring the BlackBerry Enterprise Service 10 components to meet your organization's needs. This guide is intended for senior IT professionals who are responsible for setting up and deploying the product. Before you can complete the tasks in this guide, you need to install or upgrade the product and activate licenses. You can find instructions for installing or upgrading the product in the BlackBerry Enterprise Service 10 Installation Guide and the BlackBerry Enterprise Service 10 Upgrade Guide. You can find instructions for activating licenses in the BlackBerry Enterprise Service 10 Licensing Guide. After you complete the tasks in this guide, you can create administrator accounts and user accounts, and you can configure server and device controls. You can find instructions for creating accounts and configuring server and device controls in the BlackBerry Device Service Advanced Administration Guide, Universal Device Service Advanced Administration Guide, and BlackBerry Management Studio Basic Administration Guide. Related information Product documentation, 135 8 Configuration Guide Introduction What is BlackBerry Enterprise Service 10? BlackBerry Enterprise Service 10 helps you manage mobile devices for your organization. You can manage BlackBerry devices and BlackBerry PlayBook tablets, as well as iOS and Android devices, all from a unified interface. BlackBerry Enterprise Service 10 is designed to help protect business information, keep mobile workers connected with the information they need, and provide administrators with efficient tools that help keep business moving forward. BlackBerry Enterprise Service 10 includes the following components: Component Description BlackBerry Device Service Provides advanced administration for BlackBerry 10 devices and BlackBerry PlayBook tablets Universal Device Service Provides advanced administration for iOS and Android devices BlackBerry Management Studio Provides a unified interface to administer common tasks for BlackBerry 10 devices, BlackBerry PlayBook tablets, BlackBerry 7.1 and earlier devices, iOS devices, and Android devices BES10 Self-Service Provides a console to users so that they can perform some self-service tasks. For example, users can create activation passwords, remotely change the password on their device, or delete data from the device. Key features of BlackBerry Enterprise Service 10 The table below describes some of the key features for BlackBerry Enterprise Service 10. Feature Description Management of most types of devices BlackBerry Enterprise Service 10 supports all types of BlackBerry devices and tablets, as well as iOS devices and Android devices. Single, unified interface BlackBerry Management Studio is a single, web-based interface where you can view all devices in one place and access the most common management tasks across multiple domains. These tasks include creating and managing groups, managing device controls, and activating mobile devices. Trusted and secure experience Device controls give you precise management of how devices connect to your network, what capabilities are enabled, and what apps are available. Whether the devices are owned by your organization or your users, you can protect your organization's information. 9 Configuration Guide Introduction Feature Description Balance of work and personal needs BlackBerry Balance and Secure Work Space technology are designed to ensure that personal and work information are kept separate and secure on devices. If the device is lost or the employee leaves the organization, you can delete only work-related information or all information from the device. Additional security features are available depending on the device type. 10 Configuration Guide Introduction Configuring BlackBerry Enterprise Service 10 for the first time The following table describes, at a high level, the mandatory configuration tasks that you must complete after you install BlackBerry Enterprise Service 10, and the optional configuration tasks you can complete to meet your organization's needs. This is not a complete list of all of the configuration tasks that are covered in this guide. Review all sections of the guide to identify additional tasks that might be appropriate for your organization’s environment. Task Mandatory or Optional Description Resource Obtain and activate licenses Mandatory To manage user accounts and devices, you must obtain and activate the appropriate licenses. BlackBerry Enterprise Service 10 Licensing Guide Import a new SSL certificate Optional into the web keystores To meet your organization’s security Managing the web requirements, you can import a new SSL keystores certificate that the administration consoles and other components use to authenticate with browsers. Verify that the required external and internal ports are open Mandatory You must verify that the appropriate ports are available for components to connect to external resources, each other, and to devices. Configuring connection types and port numbers Connect to the BlackBerry Infrastructure through a TCP proxy server Optional To meet your organization’s security standards and firewall rules, you can configure the BlackBerry Secure Connect Service to connect to the BlackBerry Infrastructure by routing data through a TCP proxy server. Connecting the BlackBerry Secure Connect Service to the BlackBerry Infrastructure through a TCP proxy server Connect BlackBerry Mandatory Enterprise Service 10 to the company directory You must connect BlackBerry Enterprise Connecting BlackBerry Service 10 to the company directory so Enterprise Service 10 to a that BlackBerry Enterprise Service 10 company directory can access user data. 11 Configuration Guide Task Introduction Description Resource Configure single sign-on for Optional the administration consoles You can configure single sign-on authentication so that you do not have to log in to the administration consoles manually. Configuring single sign-on for the BlackBerry Enterprise Service 10 consoles Configure high availability for the core components Optional To enhance the stability and reliability of Configuring high availability your environment, you can install and for BlackBerry Enterprise configure a standby instance of the core Service 10 components that serves as a back-up to the primary instance. Configure high availability for the BlackBerry Enterprise Service 10 databases Optional To retain database service and data Configuring high availability integrity if issues occur with the for BlackBerry Enterprise BlackBerry Enterprise Service 10 Service 10 databases databases, you can install and configure mirror databases that serve as a backup to your principal databases. Configure support for Microsoft ActiveSync gatekeeping Optional If you configured Microsoft Exchange to block devices from using Microsoft ActiveSync unless the devices are added to an allowed list, you must configure BlackBerry Enterprise Service 10 to support this feature. Using gatekeeping to control which devices can access Microsoft ActiveSync Configure the BlackBerry Administration Service to use a proxy server Optional To meet your organization’s security requirements, you can configure the BlackBerry Administration Service to route data through a proxy server. Configuring the BlackBerry Administration Service to use a proxy server Create a shared network folder for distributing apps to devices Optional If you want to use BlackBerry Enterprise Service 10 to distribute apps to devices, you must specify a shared network folder that the BlackBerry Administration Service can use to store and distribute apps. Creating a shared network folder for distributing apps to devices Monitor BlackBerry Enterprise Service 10 components Optional You can use third-party SNMP tools to monitor the activity of certain BlackBerry Enterprise Service 10 components. Monitoring BlackBerry Enterprise Service 10 components 12 Mandatory or Optional Configuration Guide Introduction Task Mandatory or Optional Description Resource Configure SMTP server settings Optional When you activate users, if you want BlackBerry Enterprise Service 10 to send activation emails to users, you must specify the SMTP server settings that the BlackBerry Device Service and the Universal Device Service can use. Connect to an SMTP server to send email notifications to users Configure SMTP server settings Enable the work space Optional To support the work space for iOS and Android devices, you must configure an SSL connection between BlackBerry Enterprise Service 10 and the Microsoft Exchange Server, and configure the BlackBerry Work Connect Notification Service. Enabling the Secure Work Space for iOS devices and Android devices Install APNs certificates Optional If you want to manage and send data to iOS devices, you must obtain a signed CSR from BlackBerry, then you must obtain an APNs certificate from Apple and install it in your BlackBerry Enterprise Service 10 domain. Understanding and installing APNs certificates Install a new SSL certificate Optional for the Communication Module To satisfy your organization’s security requirements, you can install a new SSL certificate that the Communication Module uses during the activation process. Installing an SSL certificate for the Communication Module Configure BlackBerry Management Studio to connect to additional domains If your organization's environment includes additional BlackBerry Enterprise Service 10 domains, BlackBerry Enterprise Server 5.0 SP3 or later, or BlackBerry Enterprise Server Express 5.0 SP3 or later, you can configure BlackBerry Management Studio to connect to those domains. Adding additional domains to BlackBerry Management Studio Optional 13 2 Setting up the BlackBerry Enterprise Service 10 domain Before you activate and manage devices, you may need to configure some BlackBerry Enterprise Service 10 components so that they can run in your organization's environment. You can change port numbers to address any port conflicts, configure single sign-on between consoles, configure high availability, and more. Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain BlackBerry Enterprise Service 10 administration consoles BlackBerry Enterprise Service 10 includes three consoles that you can use to manage the components and devices. Administration console Description BlackBerry Device Service console Also known as the BlackBerry Administration Service, the BlackBerry Device Service console allows you to manage BlackBerry Device Service components, high availability, BlackBerry 10 devices, and BlackBerry PlayBook tablets. Universal Device Service console Also known as the Administration Console, the Universal Device Service console allows you to manage Universal Device Service components, iOS devices, and Android devices. BlackBerry Management Studio BlackBerry Management Studio allows you to manage licenses, view reports of your system, and perform some management tasks for BlackBerry 10 devices, BlackBerry PlayBook tablets, iOS devices, and BlackBerry 7.1 and earlier devices. Log in to the BlackBerry Device Service console Also known as the BlackBerry Administration Service, you can use the BlackBerry Device Service console to manage the BlackBerry Device Service and the user accounts and devices that are associated with it. To open the console, you can use a browser on a computer that can access the computer that hosts the BlackBerry Administration Service. You can use a Microsoft Active Directory, LDAP, or BlackBerry Administration Service username and password to log in. When you install BlackBerry Enterprise Service 10, you specify the username and password that you use to log in for the first time. 1. In the browser, type https://:/webconsole/login, where is the name of the computer that hosts the BlackBerry Administration Service. The default port for the BlackBerry Administration Service is port 38443. 2. In the User name field, type your username. 3. In the Password field, type your password. 4. Perform one of the following actions: • 16 In the Log in using drop-down list, click BlackBerry Administration Service. Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain • In the Log in using drop-down list, click Active Directory and type the Microsoft Active Directory domain in the Domain field. • In the Log in using drop-down list, click LDAP. 5. Click Log in. 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. Log in to the Universal Device Service console Also known as the Administration Console, the Universal Device Service console allows you to manage the Universal Device Service and the user accounts associated with it. To open the Administration Console, you can use a browser on any computer that has access to the computer that hosts the Administration Console. When you install BlackBerry Enterprise Service 10, you specify the username and password that you use to log in for the first time. 1. In the browser, type https://:, where is the FQDN of the computer that hosts the Administration Console. The default port for the Administration Console is port 6443. 2. In the Username field, type your username. 3. In the Password field, type your password. 4. Click Log in. Log in to the BlackBerry Management Studio console The BlackBerry Management Studio console allows you to perform common administrative tasks for all the devices in your organization that are managed by BlackBerry Enterprise Service 10. Before you begin: To perform this task, you must know the web address for BlackBerry Management Studio, the username, the password (if necessary), the domain name (for example, the Windows domain in your organization's environment), and the authentication method. 1. In the browser, type https://:, where is the name of the computer that hosts BlackBerry Management Studio. The default port for BlackBerry Management Studio is 7443. 2. In the Username field, type your username. 3. In the Password field, type your password. 4. In the Log in using drop-down list, perform one of the following actions: • Click Direct authentication. • Click Microsoft Active Directory authentication and type the Microsoft Active Directory domain in the Domain field. • Click LDAP authentication. 17 Configuration Guide 5. Setting up the BlackBerry Enterprise Service 10 domain Click Log in. Troubleshooting: The browser does not trust the website's security certificate Possible cause The BlackBerry Administration Service (also known as the BlackBerry Device Service console), the Administration Console (also known as the Universal Device Service console), BlackBerry Management Studio, and BES10 Self-Service use the SSL certificate that the setup application generated. Possible solution If you experience this issue with the BlackBerry Administration Service, BlackBerry Management Studio, or BES10 SelfService, perform one of the following actions: • Replace the SSL certificate that the setup application generated with one issued by a trusted CA. For more information, see Import a new SSL certificate into the web keystores. • Install the SSL certificate that the setup application generated in the certificate store of all computers that are used to access the BlackBerry Administration Service, BlackBerry Management Studio, and BES10 Self-Service. If you experience this issue with the Administration Console, install the SSL certificate that the setup application generated in the certificate store of all computers that are used to access the Administration Console website. Use the BES10 Configuration Tool The BES10 Configuration Tool is installed on each computer that you install BlackBerry Enterprise Service 10 on. Depending on the components that you choose to install, the BES10 Configuration Tool includes different tabs and configuration options. You can use the tool to configure system settings that are not available in other consoles. For example, you can use the tool to change port configuration and database authentication for the BlackBerry Configuration Database. 1. On a computer that hosts a BlackBerry Enterprise Service 10 component, on the taskbar, click Start > All Programs > BlackBerry Enterprise Service 10 > Configuration Tool for BlackBerry Enterprise Service 10. 2. If a Windows message appears and requests permission to make changes to the computer, click Yes. 3. Make changes on the appropriate tabs. 18 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Managing the web keystores BlackBerry Enterprise Service 10 version 10.1 and later uses a different method of managing certificates than previous releases. The setup application generates and stores an SSL certificate in two password-protected keystore files: as.web.keystore and ncc.web.keystore. The following components use the SSL certificate to authenticate with browsers: • BlackBerry Administration Service • BlackBerry Management Studio • BES10 Self-Service • Enterprise Management Web Service • BlackBerry Web Services In BlackBerry Device Service 6.2 and earlier, certificates were stored in a web.keystore file. If you upgrade to BlackBerry Enterprise Service 10 version 10.1 or later, the upgrade process replaces the web.keystore file with as.web.keystore and ncc.web.keystore. Any existing certificates in web.keystore are not migrated to the new keystores. You can use the BES10 Configuration Tool to change the password for the web keystores, or to import a new SSL certificate. When you use the BES10 Configuration Tool to import certificates into the keystores, the certificates are written to the BlackBerry Enterprise Service 10 databases and then to the keystores (this also occurs when you restart the BlackBerry Administration Service). This process overwrites any certificates that you imported into the keystores manually. BlackBerry Enterprise Service 10 does not support importing certificates into the keystores manually. Change the password for the web keystores Before you begin: To verify the current password for the keystores, log in to the BlackBerry Administration Service using an administrator account with the Security Administrator role. On the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view. Click BlackBerry Administration Service and check the Security settings section. 1. On a computer that hosts the BlackBerry Administration Service, open the BES10 Configuration Tool. If a Windows message appears and requests permission to make changes to the computer, click Yes. 2. On the Web Keystore tab, type the current password. 3. In the Change web keystore password section, type a new password and confirm the new password. 4. Click Apply. 5. Click OK. After you finish: • Restart any computers that host the BlackBerry Enterprise Service 10 administration consoles. 19 Configuration Guide • Setting up the BlackBerry Enterprise Service 10 domain Restart any computers that host the BlackBerry Enterprise Service 10 core components. Import a new SSL certificate into the web keystores When you install BlackBerry Enterprise Service 10, the setup application generates and stores an SSL certificate in two password-protected keystore files: as.web.keystore and ncc.web.keystore. You can import a new SSL certificate or a trusted certificate that a CA signs into both keystores. The SSL certificate used by the Administration Console (also known as the Universal Device Service administration console) is stored in a separate key store. If you want to import a new SSL certificate for the Administration Console, visit www.blackberry.com/go/kbhelp to read article KB31084. Before you begin: • Generate or obtain a self-signed SSL certificate or a trusted certificate that a CA signs. The certificate must be in a keystore format (.jks, .pfx, .pkcs12). If you configure a BlackBerry Administration Service pool, you must generate an SSL certificate that uses the name of the BlackBerry Administration Service pool. You can find the pool name in the BES10 Configuration Tool. • The SSL certificate must use the alias "httpssl". • Add the FQDN of each computer that hosts the BlackBerry Web Services to the certificate's Subject Alternative Name field. This allows you to view information for each Universal Device Service instance in BlackBerry Management Studio after you import the certificate. • To verify the current password for the keystores, log in to the BlackBerry Administration Service using an administrator account with the Security Administrator role. On the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view. Click BlackBerry Administration Service and check the Security settings section. 1. On a computer that hosts the BlackBerry Administration Service, open the BES10 Configuration Tool. If a Windows message appears and requests permission to make changes to the computer, click Yes. 2. On the Web Keystore tab, select the Import new SSL certificate option. 3. In the Current password field, type the password for the keystores. 4. In the Import new SSL certificate section, click the Browse button to navigate to and select the new SSL certificate. 5. In the Password field, type the password for the SSL certificate. 6. Click Apply. 7. Click OK. After you finish: • Restart any computers that host the BlackBerry Enterprise Service 10 administration consoles. • 20 Restart any computers that host the BlackBerry Enterprise Service 10 core components. Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain About licensing After you install BlackBerry Enterprise Service 10, you must activate licenses. If you upgraded a supported product to BlackBerry Enterprise Service 10 version 10.1 or later, you must upgrade and activate licenses. You should activate licenses before you follow the configuration instructions in this guide, and before you add user accounts and activate devices. For more information about the different types of licenses and activating licenses, visit docs.blackberry.com/BES10 to read the BlackBerry Enterprise Service 10 Licensing Guide. 21 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Configuring connection types and port numbers Ports are virtual connection points that software applications can use to send and receive data. Ports are distinguished by a specific port number. Different ports can be used to direct data to, or to receive data from, specific sources. Software applications send and receive data over ports using protocols. A protocol is a software language, with its own rules and conventions, that software applications use to send, receive, and interpret data. Typical protocols include TCP, HTTPS, and HTTP. The BlackBerry Enterprise Service 10 components use various ports to communicate with the BlackBerry Infrastructure, other external services, internal resources (for example, browsers), and with each other. The topics in this section list the default ports that the various components use. The tables indicate which ports you can change. If the table does not indicate that you can change the port, you must use the default port that is listed. Depending on the size and complexity of your organization’s software environment, you may not need to change any of the port numbers. If your organization enforces certain security standards, restricts certain types of data that pass through the firewall, or has existing software that uses the ports that the components require, you may need to change some of the firewall settings or port settings. Outbound ports: Managing BlackBerry devices BlackBerry Enterprise Service 10 components use the following ports to send data to sources that are outside of your organization's firewall, such as the BlackBerry Infrastructure, and to receive data back from these sources. Configure your organization's firewall to allow outbound and inbound connections over these ports. For more information about domains and IP addresses to use in your firewall configuration, visit www.blackberry.com/go/kbhelp to read articles KB34193 and KB03735. 22 Configuration Guide From Setting up the BlackBerry Enterprise Service 10 domain To Purpose Protocol Port Where you can change the port BlackBerry Router BlackBerry (optional) Infrastructure To connect to the blackberry.com and TCP blackberry.net subdomains (.srp.blackberry.com) to activate and manage BlackBerry devices and to enable the use of the work space on BlackBerry devices. 3101 BES10 Configuration Tool BlackBerry Dispatcher BlackBerry Infrastructure To connect to the blackberry.com and TCP blackberry.net subdomains (.srp.blackberry.com) to activate and manage BlackBerry devices and to enable the use of the work space on BlackBerry devices. 3101 BlackBerry Administration Service BlackBerry Licensing Service BlackBerry Infrastructure To connect to the licensing infrastructure (license.blackberry.com) to activate licenses. HTTPS 443 Cannot change BlackBerry Administration Service BlackBerry Infrastructure To register activation information for HTTPS BlackBerry devices and access device information. 443 Cannot change BlackBerry Administration Service BlackBerry Infrastructure To specify public apps in BlackBerry World as optional work apps for BlackBerry devices. 80 Cannot change HTTP Related information Change the BlackBerry Router port numbers, 32 Outbound ports: Managing iOS and Android devices BlackBerry Enterprise Service 10 components use the following ports to send data to sources that are outside of your organization's firewall, such as the BlackBerry Infrastructure, and to receive data back from these sources. Configure your organization's firewall to allow outbound and inbound connections over these ports. For more information about domains and IP addresses to use in your firewall configuration, visit www.blackberry.com/go/kbhelp to read articles KB34193 and KB03735. 23 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain From To Purpose BlackBerry Secure Connect Service BlackBerry Infrastructure BlackBerry Secure Connect Service through a TCP proxy server (optional) Port Where you can change the port To connect to the bbsecure.com TCP subdomain (.bbsecure.com) to allow work-space enabled devices to access work data, to send activation and management data between iOS and Android devices and BlackBerry Enterprise Service 10, and to allow iOS devices to connect to APNs for device notifications. 3101 Cannot change BlackBerry Infrastructure To route data through a TCP proxy server if you do not want a direct connection to the BlackBerry Infrastructure. TCP 3101 Administration Console BlackBerry Licensing Service BlackBerry Infrastructure To connect to the licensing infrastructure (license.blackberry.com) to activate licenses. HTTPS 443 Cannot change Administration Console BlackBerry Infrastructure To request a signed CSR from HTTPS BlackBerry so you can obtain and register an APNs certificate. The APNs certificate is required to manage iOS devices. 443 Cannot change Universal Device Service core components BlackBerry Infrastructure To connect to the HTTPS .swstps.bbsecure.com subdomain to authenticate BlackBerry Enterprise Service 10 and enable the 443 Cannot change 24 Protocol Configuration Guide From Setting up the BlackBerry Enterprise Service 10 domain To Purpose Protocol Port Where you can change the port use of the Secure Work Space on iOS and Android devices. Universal Device Service core components BlackBerry Infrastructure To connect to .swsmanager.bbsecure.com subdomain to enable administrative control over the work space on iOS and Android devices. HTTPS 443 Cannot change BlackBerry Work Connect Notification Service BlackBerry Infrastructure To provide new or changed email and organizer notifications to work spaceenabled iOS devices. HTTPS 443 Cannot change Scheduler BlackBerry Infrastructure To check a hosted metadata file each day at midnight for new device or OS data. Updates are downloaded to the Universal Device Service database. HTTPS 443 Cannot change Apple Root Certification Authority To check the certificate revocation list HTTPS (used if you do not set up an APNs HTTP proxy server). 443 Cannot change SMTP gateway To enable SMTP for an external SMTP gateway (optional). 25 The hosted file is located at https:// origin-www.blackberry.com/download/ metadata/BES/metadata.xml.gz (IP address 208.65.77.102). Core Module Core Module TCP 80 Administration Console Outbound ports: Device data BlackBerry Enterprise Service 10 uses the outbound-initiated port 3101 to send and receive data for BlackBerry 10 devices and work space-enabled iOS and Android devices. For iOS and Android devices that are not work space-enabled, BlackBerry Enterprise Service 10 sends and receives only activation and management data through the outbound-initiated port 3101. All other data, such as messaging data and data from third-party applications, is not sent through port 3101. Consult the documentation or support resources for your organization's messaging software and third-party applications to determine the ports that you must open. 25 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Outbound ports: Work space-enabled devices on a work Wi-Fi network Work space-enabled iOS and Android devices that use your organization's Wi-Fi network use the following outbound ports to connect to the BlackBerry Infrastructure and external services. Configure your organization's firewall to allow outbound and inbound connections over these ports. From To Purpose Protocol Port Where you can change the port iOS devices BlackBerry Infrastructure To connect to the .bbsecure.com subdomain when activating the device. TLS 443 Cannot change BlackBerry Infrastructure To connect to the TCP .bbsecure.com subdomain so that administration commands can be applied to the devices. 443 Cannot change Android devices iOS devices Android devices 80 Port 443 is the default. Port 80 is only used by devices that were activated before you upgraded to BlackBerry Enterprise Service 10 version 10.2, or if the user specifies port 80. iOS devices APNs To send management data to and from iOS devices. TCP 5223 Cannot change Android devices BlackBerry Infrastructure To connect to the .swsmanager.bbsecure.com subdomain. HTTPS 443 Cannot change Internal ports: Database connections The BlackBerry Enterprise Service 10 databases, core components, and administration consoles must be able to communicate with each other and exchange data. If you install the databases on a computer separate from the core components or administration consoles, verify that the following static ports are open between the computers. 26 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain From To Protocol Port Where you can change the port BlackBerry Administration Service BlackBerry Configuration Database TCP 1433 BES10 Configuration Tool Management Database TCP 1433 BES10 Configuration Tool BlackBerry Management Studio BlackBerry Dispatcher BlackBerry MDS Connection Service Enterprise Management Web Service Administration Console Core Module Related information Change the port number that components use to connect to the databases, 32 Internal ports: Devices and components The BlackBerry Enterprise Service 10 components and devices use the following ports to communicate with each other and exchange data. Verify that the following ports are open in your organization’s network (for example, an internal Wi-Fi network). From To BlackBerry devices Server-side push applications (SSL connection) Purpose Protocol Port Where you can change the port Enterprise To activate devices using a wired Management Web connection or over a VPN or Wi-Fi Service network that you configured for BlackBerry Enterprise Service 10. HTTPS 38444 HTTP 38084 BlackBerry Administration Service BlackBerry MDS Connection Service To push application data to BlackBerry devices. Omitted if you configured a proxy server. HTTPS 9443 BlackBerry Administration Service Server-side push BlackBerry MDS applications (non- Connection SSL connection) Service To push application data to BlackBerry devices. Omitted if you configured a proxy server. HTTP 9080 BlackBerry Administration Service 27 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Internal ports: Components and administration consoles The core components and administration consoles must be able to communicate with each other and exchange data. If you install the core components and administration consoles on separate computers, verify that the following ports are open between the computers. From To Protocol Port Where you can change the port BlackBerry Management Studio BlackBerry Licensing Service TCP 3333 Cannot change BlackBerry MDS Connection Service BlackBerry Dispatcher TCP 3201 Cannot change BlackBerry Dispatcher BlackBerry Router TCP 3101 BES10 Configuration Tool Apache web services Enterprise Management Web Service TCP 8009 Cannot change Microsoft Exchange Web Services BlackBerry Work Connect Notification Service HTTPS 8088 During installation BlackBerry Web Services BlackBerry Secure Connect HTTPS Service 38081 Cannot change Core Module BlackBerry Secure Connect HTTPS Service 38081 Cannot change BlackBerry Management Studio BlackBerry Web Services HTTPS 8082 Cannot change BlackBerry Secure Connect Communication Module Service HTTPS 33443 Cannot change Communication Module HTTPS 9081 Cannot change BlackBerry Directory Sync Tool Scheduler BlackBerry Web Services 28 Core Module Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain From To Protocol Port Where you can change the port BlackBerry Web Services Other BlackBerry Web Services instances TCP 8083 During installation BlackBerry Dispatcher BlackBerry Controller UDP 4060 Cannot change SNMP queries and traps SNMP agent UDP 161 Cannot change TCP 162 Internal ports: Administration consoles and browsers After you install the administration consoles, you can access the consoles from a different computer using supported browsers. Verify that the following ports are open between the computers that host the consoles and the computers that administrators use to access the consoles. For more information about supported browsers, visit docs.blackberry.com/ BES10 to review the BlackBerry Enterprise Service 10 Compatibility Matrix. From To Protocol Port Where you can change the port Supported browser BlackBerry Management Studio HTTPS 7443 BES10 Configuration Tool Supported browser BES10 Self-Service HTTPS 7445 BES10 Configuration Tool Supported browser BlackBerry Administration Service HTTPS 38443 BES10 Configuration Tool HTTP 38180 Administration Console HTTPS 6443 HTTP 9440 Supported browser Cannot change Internal ports: BlackBerry Administration Service instances You can install the administration consoles on multiple computers (for example, to set up a BlackBerry Administration Service pool). If you do, verify that the following ports are open between the computers that host instances of the BlackBerry Administration Service. 29 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Connection type Protocol Port Incoming and outgoing connections using TCP TCP First two unused Cannot change ports from 17100 Incoming and outgoing connections using multicast UDP UDP Multicast IP address/port 228.1.2.1/48858 228.1.2.1/48857 228.1.2.1/48855 228.1.2.5/45588 Cannot change HA JNDI TCP 31100 BES10 Configuration Tool Local JNDI TCP 31099 BES10 Configuration Tool BAS-AS Dynamic Class loading TCP 38083 BES10 Configuration Tool BAS-AS Java RMI TCP 33873 BES10 Configuration Tool BAS-AS Java RMI over SSL TLS 33843 Cannot change BAS-AS messaging TCP 34457 BES10 Configuration Tool BAS-AS messaging data channel TCP 37000 Cannot change UDP 45568 BAS-AS HA-RMI TCP 31101 Cannot change BAS-AS HA RMI object TCP 6447 Cannot change BAS-AS CORBA TCP 33528 Cannot change BAS-AS SNMP TCP 31162 Cannot change BAS-AS SNMP AD TCP 31161 Cannot change BAS-AS JMX RMI TCP 39001 Cannot change BAS-AS clustered messaging TCP 34458 Cannot change BAS-AS HA JNDI TCP 31102 Cannot change BAS-AS Java groups UDP multicast UDP 45567 Cannot change BAS-AS pool TCP 6448 Cannot change BAS-AS SQL proxy UDP 6446 Cannot change 30 Where to configure Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Connection type Protocol Port Where to configure BAS-AS Java groups TCP 7950 Cannot change BAS-NCC Dynamic Class loading TCP 48083 BES10 Configuration Tool BAS-NCC Java RMI over SSL TLS 43843 BES10 Configuration Tool BAS-NCC local JNDI TCP 41099 BES10 Configuration Tool BAS-NCC Java debugging TCP 8790 Cannot change BAS-NCC HA-RMI TCP 41101 Cannot change BAS-NCC HA RMI object TCP 7447 Cannot change BAS-NCC HA JNDI TCP 41100 Cannot change BAS-NCC CORBA TCP 43528 Cannot change BAS-NCC SNMP TCP 41162 Cannot change BAS-NCC SNMP AD TCP 41161 Cannot change BAS-NCC JMX RMI TCP 49001 Cannot change BAS-NCC EJB TCP 43873 Cannot change BAS-NCC web server TCP 48180 Cannot change BAS-NCC HA JNDI discovery TCP 41102 Cannot change BAS-NCC Java groups UDP multicast UDP 55568 Cannot change BAS-NCC messaging data channel TCP 47000 Cannot change UDP 45568 BAS-NCC pool TCP 7448 Cannot change BAS-NCC Java RMI TCP 3844 Cannot change Related information Change the BlackBerry Administration Service port numbers, 33 Ports and proxy configuration For more information about configuring connections from BlackBerry Enterprise Service 10 components to proxy servers in your organization's environment, see the following topics: 31 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain • Change the BlackBerry Router port numbers • Configuring the BlackBerry Administration Service to use a proxy server • Configuring the BlackBerry MDS Connection Service and the Enterprise Management Web Service to use a proxy server • Connecting the BlackBerry Secure Connect Service to the BlackBerry Infrastructure through a TCP proxy server • Configure the HTTP or HTTPS proxy server settings Change the BlackBerry Router port numbers 1. On the computer that hosts the BlackBerry Router, open the BES10 Configuration Tool. If a Windows message appears and requests permission to make changes to the computer, click Yes. 2. On the BlackBerry Router tab, perform the following actions: a. In the SRP port (outgoing) field, type the port number that the BlackBerry Router uses to connect to the BlackBerry Infrastructure. b. In the BlackBerry Dispatcher port (incoming) field, type the port number that the BlackBerry Dispatcher uses to connect to the BlackBerry Router. 3. Click Apply. 4. Click OK. After you finish: • In the Windows Services, restart the BES10 - BlackBerry Router service. • If the BlackBerry Dispatcher port is not 3101, in the BlackBerry Administration Service, type the BlackBerry Dispatcher port in the Port override field for any BlackBerry Device Service instances that connect to the BlackBerry Router. Change the port number that components use to connect to the databases You can change the static port number that BlackBerry Enterprise Service 10 components use to connect to the BlackBerry Enterprise Service 10 databases. You must perform this task if you change the port number that Microsoft SQL Server uses. By default, the databases accept TCP/IP connections to port number 1433 on Microsoft SQL Server. 1. On the computer that hosts the BlackBerry Enterprise Service 10 core components, open the BES10 Configuration Tool. If a Windows message appears and requests permission to make changes to the computer, click Yes. 2. On the Database Connectivity tab, verify that you selected the Static option for port configuration and type the new port number. 3. Click Apply. 4. Click OK. After you finish: 32 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain • In the Windows Services, restart the BlackBerry Enterprise Service 10 services. • Repeat the steps on each computer that hosts core components. Change the BlackBerry Administration Service port numbers 1. On the computer that hosts the BlackBerry Administration Service, open the BES10 Configuration Tool. If a Windows message appears and requests permission to make changes to the computer, click Yes. 2. On the BlackBerry Administration Service Pool tab, in the Port settings section, change the appropriate port numbers. 3. Click Synchronize. 4. Click OK. After you finish: • In the Windows Services, restart the BlackBerry Administration Service services. • Repeat the steps on each computer that hosts a BlackBerry Administration Service instance. 33 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Connecting BlackBerry Enterprise Service 10 to a company directory You can connect BlackBerry Enterprise Service 10 to your company directory so that it can access the list of users in your organization. BlackBerry Enterprise Service 10 accesses the company directory to create user accounts, authenticate users when they activate devices, authenticate administrators for the BlackBerry Enterprise Service 10 consoles, and allow single sign-on among the consoles. If you do not connect BlackBerry Enterprise Service 10 to a company directory, you can create local user accounts and authenticate administrators using default authentication. You can connect BlackBerry Enterprise Service 10 to Microsoft Active Directory or an LDAP directory. You must configure the BlackBerry Device Service and the Universal Device Service to connect to a company directory. Connect the BlackBerry Device Service to Microsoft Active Directory Before you begin: Create a Microsoft Active Directory account for the BlackBerry Device Service that is located in a Windows domain that is part of the resource forest. When you create the account, specify a password that meets the security requirements of your organization and configure the following password settings: • The user is not required to change the password at next login. • The user's password never expires. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Company directory integration. 2. Click Manage company directory connections. 3. Click Create a company directory connection. 4. Type a name and description for the company directory connection. 5. In the Type drop-down list, click Microsoft Active Directory. 6. Click Next. 7. In the Microsoft Active Directory login information section, in the User name field, type the name of the Microsoft Active Directory account that has permission to access the user containers and read the user objects that are stored in the global catalog servers that are in the resource forest. 8. In the Password and Confirm password fields, type the password for the Microsoft Active Directory account. 9. In the User domain field, type the name of the Windows domain that is a part of the resource forest. 34 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain 10. In the Global catalog search base field, perform one of the following actions: • To permit the BlackBerry Administration Service to search the global catalog, leave the field blank. • To control which user accounts the BlackBerry Administration Service can authenticate with, type the DN of the user container (for example, OU=sales,DC=example,DC=com). 11. In the Global catalog server discovery drop-down list, perform one of the following actions: • If you want the BlackBerry Administration Service to find all of the global catalog servers in the resource forest automatically, click Automatic. • If you want to configure the global catalog servers that the BlackBerry Administration Service can access, click Specify servers and perform the following actions: a. In the Global catalog server section, type the FQDN of the global catalog server that you want the BlackBerry Administration Service to access (for example, globalcatalog01.example.com). You must type the FQDN of a global catalog server that is located in the Windows domain that the Microsoft Active Directory account is located in. b. Click the Add icon. c. Perform this step for each global catalog server that you want the BlackBerry Administration Service to access. 12. In the Support for linked Microsoft Exchange mailboxes section, perform one of the following actions: • To disable support for linked Microsoft Exchange mailboxes, select the Turn off radio button. • To enable support for linked Microsoft Exchange mailboxes, select the Turn on radio button. To configure the Microsoft Active Directory account for each forest, in the Account forest name section, type the user domain name, username, and password for the Microsoft Active Directory account. 13. In the Login domain section, in the Default domain field, type the name of the default domain that users log in from. 14. In the Single sign-on authentication for BlackBerry Administration Service turned on drop-down list, perform one of the following actions: • If you want to enable single sign-on authentication for the BlackBerry Administration Service, click Yes. • If you do not want to enable single sign-on authentication for the BlackBerry Administration Service, click No. 15. Optionally, in the Microsoft Active Directory search settings section, in the Active Directory user search filter field, type the search filter that you would like to use to refine the basic user information search results. The search filter must use LDAP syntax. 16. If your organization does not use the default Microsoft Active Directory fields, in the Attribute mappings section, for each mapping that you want to change, type the appropriate attribute in the External attribute field. 17. Click Save. The BlackBerry Administration Service validates the information for Microsoft Active Directory authentication. If the information is valid, the BlackBerry Administration Service implements the changes immediately and you do not need to restart the BlackBerry Administration Service services. If the information is not valid, the BlackBerry Administration Service prompts you to specify the correct information. 35 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Connect the BlackBerry Device Service to an LDAP directory You can connect the BlackBerry Device Service to an LDAP directory so that it can access the list of users in your organization. Before you begin: Create an LDAP account for the BlackBerry Administration Service that is located in the relevant LDAP realm. When you create the account, specify a password that meets the security requirements of your organization and configure the following password settings: • The user is not required to change the password at next login. • The user's password never expires. If the LDAP connection is SSL encrypted, import the server certificate before connecting the BlackBerry Device Service to the company directory. For instructions, see Import the server certificate for an LDAP connection using SSL. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Company directory integration. 2. Click Manage company directory connections. 3. Click Create a company directory connection. 4. Type a name and description for the company directory connection. 5. In the Type drop-down list, click LDAP. 6. Click Next. 7. In the Server discovery drop-down list, perform one of the following actions: 8. 9. • To automatically discover the LDAP server, click Automatic. In the DNS domain name field, type the domain name for the server that hosts the company directory. • To specify one or more LDAP servers, click Specify servers. Type the name of the LDAP server and click the Add icon. Repeat this step to add more servers. In the Enable SSL drop-down list, perform one of the following actions: • If the LDAP connection is SSL encrypted, click Yes. • If the LDAP connection is not SSL encrypted, click No. In the Port field, type the TCP port number for communication (for example, 636 for SSL enabled or 389 for SSL disabled). 10. In the Authorization required drop-down list, perform one of the following actions: • 36 If authorization is required for the connection, in the Authorization required drop-down list, click Simple. In the Login field, type the DN of the user who has authorization to log in to LDAP (for example, cn=admin,o=Org1). In the Password and Confirm password fields, type the password. Configuration Guide • Setting up the BlackBerry Enterprise Service 10 domain If authorization is not required for the connection, in the Authorization required drop-down list, click None. 11. Optionally, in the Search base field, type the value to use as the base DN for basic user information searches. 12. Optionally, in the User search filter field, type an LDAP search filter to improve basic user information search performance and results. 13. Optionally, in the User search scope drop-down list, perform one of the following actions: • To search all objects below the base object, click All levels. This is the default setting. • To search objects that are one level immediately below the base object, click One level. • To search for a particular object, click Object level. 14. In the Display name field, type the attribute for each user's display name (for example, displayName). If you do not set the value, a default value is used. 15. In the Email address field, type the attribute for each user's email address (for example, mail). If you do not set the value, a default value is used. 16. In the Username field, type the attribute for each user's username (for example, userName). 17. In the Unique identifier field, type the attribute for each user's unique identifier (for example, uid). 18. In the UPN for SCEP field, type the attribute for the user principal name for SCEP (for example, userPrincipalName). 19. In the Email profile account name field, type the attribute for each user’s email profile account name (for example, mail). 20. In the First name field, type the attribute for each user’s first name (for example, givenName). 21. In the Last name field, type the attribute for each user’s last name (for example, sn). 22. Click Save. Import the server certificate for an LDAP connection using SSL The imported server certificate is used if the LDAP company directory connection is SSL encrypted. The server certificate must be a .der or .cer file without a password. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Company directory integration. 2. Click Manage company directory connections. 3. Click Import server SSL certificate for LDAP. 4. Click Browse. Navigate to and select the SSL certificate that is used to trust the connection. 5. Click Save. 6. Log out, restart all BlackBerry Administration Service instances, and then log in again. 37 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Connect the Universal Device Service to Microsoft Active Directory You can connect the Universal Device Service to Microsoft Active Directory so that it can access the list of users in your organization. 1. In the Administration Console, on the menu bar, click Settings > Company Directory. 2. Select the Enable Microsoft Active Directory check box. 3. Type the username and password for the Microsoft Active Directory server. 4. In the Directory URL field, type “LDAP://.” or “GC://.”. 5. Click Test to test the Microsoft Active Directory server settings. 6. In the Polling interval for directory information field, select a unit of time from the drop-down list and specify how often you want the Universal Device Service to poll Microsoft Active Directory for user account information. 7. Click Save. Connect the Universal Device Service to an LDAP directory You can connect the Universal Device Service to an LDAP directory so that it can access the list of users in your organization. Before you begin: If you want to use SSL authentication for the LDAP connection, you must import the server certificate using MMC. For more information, see Import the server certificate for an LDAP connection that uses SSL. 1. In the Administration Console, on the menu bar, click Settings > Company Directory. 2. Select the Corporate LDAP Directory checkbox. 3. In the LDAP server discovery drop-down list, complete one of the following tasks: • Select Automatic, and type the domain name of the LDAP server in the Domain field. • Select Select server from the list below, and type the server address in the LDAP Server field. 4. In the LDAP Port field, type the TCP port number for communication. The default port for an SSL enabled connection is 636. The default port for a connection that is not encrypted is 389. 5. If the connection requires authorization, select the Authorization required checkbox, select None in the Authentication type drop-down list, and specify the username and password of the user that has LDAP search permissions. Note: For an SSL enabled connection that uses anonymous authorization, you must deselect the Authorization required checkbox. 38 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain 6. Optionally, in the Search base field, type the location in the company directory where you want searches in the directory to begin. 7. Optionally, in the LDAP user search scope drop-down list, perform one of the following actions: • To search all objects below the base object, click All levels. This is the default setting. • To search objects that are one level immediately below the base object, click One level. 8. In the Object class field, type the name of the object class that your user accounts belong to. 9. In the Unique identifier field, type the unique identifier for the LDAP directory (for example, uid). 10. In the Login attribute field, type the login attribute to use for authentication (for example, cn). 11. In the Email address field, type the attribute that contains the user's email address (for example, mail). 12. In the Display name field, type the attribute that contains the user's display name (for example, displayName). 13. Click Test to confirm that the connection to the company directory is configured correctly. 14. Click Save. Import the server certificate for an LDAP connection that uses SSL The imported server certificate is used if the LDAP company directory connection is SSL encrypted. The server certificate must be a .der or .cer file without a password. 1. On the computer that hosts the BlackBerry Enterprise Service 10 core components, open MMC by typing mmc in Windows PowerShell. 2. On the File menu, click Add/Remove Snap-in. 3. In the Add or Remove Snap-ins window, select Certificates. 4. Click Add. 5. In the Certificates snap-in dialog box, select Computer account. 6. Click Next. 7. Select Local computer, and click Finish. 8. Click OK. 9. In MMC, expand Certificates (Local Computer) > Trusted Root Certification Authorities.. 10. Right-click Certificates and select All tasks > Import. 11. In the Certificate Import Wizard, click Next. 12. Browse for the Root CA certificate, and click Open. 13. Click Next until the final window in the wizard appears. 14. Click Finish. 39 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Configuring single sign-on for the BlackBerry Enterprise Service 10 consoles You can configure single sign-on for BlackBerry Enterprise Service 10 consoles so that administrators and BES10 SelfService users do not need to provide their usernames and passwords each time they access a console. When you configure single sign-on, the browser uses the Windows credentials that they logged in to the computer with to authenticate them automatically. Single sign-on works if you require your organization’s administrators and users to use Microsoft Active Directory authentication to log in the BlackBerry Enterprise Service 10 consoles. Single sign-on is beneficial if your organization’s administrators need to access the BlackBerry Administration Service or Administration Console from the BlackBerry Management Studio frequently. It allows administrators to access the BlackBerry Administration Service or Administration Console from BlackBerry Management Studio without having to log in again. You must configure single sign-on for all the BlackBerry Enterprise Service 10 consoles (for example, you cannot configure single sign-on for the Administration Console only). Prerequisites • Install all BlackBerry Enterprise Service 10 instances in the same Microsoft Active Directory network. • Configure the BlackBerry Device Service and the Universal Device Service to connect to Microsoft Active Directory. Ensure that the BlackBerry Device Service and the Universal Device Service use the same connectivity settings to Microsoft Active Directory. • Configure the consoles to use Microsoft Active Directory authentication. • Create a Microsoft Active Directory account in the User Account forest. This account can be a basic Microsoft Active Directory Domain user account (for example, it can be an LDAP reader account). This account does not require additional permissions, such as the permissions that the account used to run BlackBerry Enterprise Service 10 services requires, and it does not require access to Microsoft Exchange objects. • Configure the browsers used by administrators and BES10 Self-Service users as follows: 40 • Integrated Windows Authentication turned on • The BlackBerry Administration Service, Administration Console, BlackBerry Management Studio, and BES10 SelfService URLs assigned to the local intranet zone • The certificates for the BlackBerry Enterprise Service 10 consoles installed in the certificate store Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Configure constrained delegation for the Microsoft Active Directory account to support single sign-on To support single sign-on, you need to configure constrained delegation for the Microsoft Active Directory account that you create. Constrained delegation allows the browser to use the credentials of the user to authenticate with Microsoft Active Directory. For more information about configuring constrained delegation for the Microsoft Active Directory account, visit www.blackberry.com/go/kbhelp to read article KB34183. 1. At a command prompt, use the setspn command to add the following SPNs for the consoles to the Microsoft Active Directory account: Deployment SPNs to create Installed all BlackBerry Enterprise Service 10 components on a single computer • HTTP/ • BASPLUGIN111/ Installed the administration consoles on a separate computer from the BlackBerry Enterprise Service 10 core components • HTTP/. • HTTP/ • BASPLUGIN111/ • BASPLUGIN111/ • HTTP/ • HTTP/ • If you installed core components on a separate computer, HTTP/ • HTTP/< BAS_pool_FQDN > • BASPLUGIN111/ • BASPLUGIN111/ • If you installed core components on a separate computer, BASPLUGIN111/ • BASPLUGIN111/ • HTTP/ • HTTP/ • If you installed the consoles on a separate computer, HTTP/ Created a BlackBerry Administration Service pool Configured high availability by installing active and standby instances of core components 41 Configuration Guide Deployment Setting up the BlackBerry Enterprise Service 10 domain SPNs to create • If you created a BlackBerry Administration Service pool, HTTP/ • BASPLUGIN111/ • BASPLUGIN111/ • If you installed the consoles on a separate computer, BASPLUGIN111/ • If you created a BlackBerry Administration Service pool, BASPLUGIN111/ For example: • setspn -F -S BASPLUGIN111/ \. For example, setspn -F -S BASPLUGIN111/BASconsole104.example.com EXAMPLE\ldapreader • setspn -F -S HTTP/ \. For example, setspn –F –S HTTP/BASconsole104.example.com EXAMPLE\ldapreader You must ensure that the SPNs are not duplicated in the Microsoft Active Directory forest. 2. If you create separate sub-pools of BlackBerry Administration Service instances and BES10 Self-Service instances in the BlackBerry Administration Service pool, add the HTTP/ SPN for each sub-pool to the Microsoft Active Directory account. 3. Configure the Microsoft Active Directory account for constrained delegation using the following settings: 4. • Trust this user for delegation to specific services only • Use Kerberos only In the Microsoft Active Directory account properties, on the Delegation tab, add the SPNs that you created in steps 1 and 2 to the list of services. Configure single sign-on for the Administration Console 1. In the Administration Console, on the menu bar, click Settings > Microsoft Active Directory. 2. On the Microsoft Active Directory screen, select Enable Windows Single Sign-on. 3. Click Test to test the Microsoft Active Directory settings. 4. Click Save. After you finish: In the Windows Services, restart the BES10 – Administration Console service. 42 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Configure single sign-on for the BlackBerry Administration Service When you configure single sign-on for the BlackBerry Administration Service, you also configure it for BES10 Self-Service and BlackBerry Management Studio. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Company directory integration. 2. Click Manage company directory connections. 3. Click the Microsoft Active Directory name that you want to change. 4. Click Edit company directory connection. 5. In the Microsoft Active Directory login information section, in the Single sign-on authentication for BlackBerry Administration Service turned on drop-down list, click Yes. 6. To configure the Microsoft Active Directory account for each forest, type the user domain name, user name, and password for the Microsoft Active Directory account. 7. Click the Add icon. 8. Click Save. After you finish: • In the Windows Services, restart all of the BlackBerry Administration Service services and the BlackBerry Management Studio service. Complete this step on all computers that host BlackBerry Enterprise Service 10 administration consoles. • Instruct all administrators to add the URLs for the BlackBerry Enterprise Service 10 administration consoles to the list of web sites in the local intranet zone and install the certificates for the consoles in the certificate store of their computers. BlackBerry Administration Service URL for single signon If you configure single sign-on, you must instruct administrators to access the BlackBerry Administration Service using the following URL: https://:/webconsole/login. The default port for the BlackBerry Administration Service is port 38443. Single sign-on authentication takes precedence over other authentication methods that permit administrators to log in to the BlackBerry Administration Service. If the security policies in your organization require that administrators use another authentication method, you must instruct administrators to access the BlackBerry Administration Service using the following URL: https://:/webconsole/app. 43 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Assigning the device management role for Android devices and iOS devices In a BlackBerry Enterprise Service 10 domain, one instance of the core components is responsible for communicating management data to and from Android devices and iOS devices. If you configure your environment to support high availability, this role is assigned to one high availability pair in the domain. When a failover occurs, the role is transferred from the primary instance to the standby instance. By default, the setup application assigns this role to the first instance of the core components that you install in the domain, or to the first instance that you upgrade. Using the BlackBerry Device Service console (the BlackBerry Administration Service), you can assign this role to a different instance of the core components, or to a different high availability pair. If you assign the role to a different instance or high availability pair, you must complete an additional task to connect the Administration Console to the primary instance with the role. If you do not complete this task, you cannot use the Administration Console to manage Android devices and iOS devices. Note: If you assign the device management role to a different primary instance or high availability pair, BlackBerry Management Studio cannot connect to the new primary instance that is assigned the role. As a result, you cannot manage Android devices and iOS devices from BlackBerry Management Studio unless you assign the role back to the initial instance or high availability pair. A workaround is available if you want to configure BlackBerry Management Studio to connect to the new server instance with the device management role. To learn more about the workaround, visit www.blackberry.com/go/kbhelp to read article KB34319. Assign the device management role to a different instance or high availability pair 1. In the BlackBerry Administration Service, on the Servers and components menu, click BlackBerry Solution topology > BlackBerry Domain > Component view > BlackBerry Device Service. 2. Click Edit component. 3. In the BlackBerry Device Service instance used for non-BlackBerry Device Management drop-down list, click the appropriate instance or high availability pair. 4. Click Save all. After you finish: • After you assign the device management role for Android devices and iOS devices, you must connect the Administration Console to the primary instance with the device management role. See Configure the Administration Console to connect to the new primary instance. 44 Configuration Guide • Setting up the BlackBerry Enterprise Service 10 domain If you assign the device management role to a different primary instance or high availability pair, BlackBerry Management Studio cannot connect to the new primary instance that is assigned the role. As a result, you cannot manage Android devices and iOS devices from BlackBerry Management Studio unless you assign the role back to the initial instance or high availability pair. A workaround is available if you want to configure BlackBerry Management Studio to connect to the new server instance with the device management role. To learn more about the workaround, visit www.blackberry.com/go/kbhelp to read article KB34319. Configure the Administration Console to connect to the new primary instance The Administration Console must connect to the primary instance that is assigned the device management role for Android devices and iOS devices. If you assign this role to a different primary instance or high availability pair, or if a failover occurs in a high availability pair that is assigned the role (and you want device service to continue on the standby instance), you must connect the Administration Console to the new primary instance that is assigned the role. 1. On the computer that hosts the active Administration Console, navigate to :\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\RIM.BUDS.Gui\webapps\ROOT\WEB-INF\classes. 2. In a text editor, open config.properties. 3. Locate mdm.restServer=:, where is the FQDN of the initial primary instance, and is the port that the Administration Console uses to connect to that computer. For example, mdm.restServer=https:// SERVER1.TESTNET.RIM.NET:9081. 4. Change to the FQDN of the computer that hosts the new primary instance with the device management role. 5. If necessary, change to the port that the Administration Console uses to connect to the computer that hosts the new primary instance. The default port number is 9081. If you upgraded Universal Device Service 6.x to BlackBerry Enterprise Service 10 version 10.1 or later, the default port number is 8081. 6. Save and close the file. After you finish: In the Windows Services, restart the BES10 - Administration Console service. 45 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Configuring high availability for BlackBerry Enterprise Service 10 If you want to enhance the stability and reliability of BlackBerry Enterprise Service 10, you can configure the core components to support high availability. A high availability configuration includes one or more high availability pairs. A high availability pair consists of a primary instance of the core components, and a standby instance of the same components that you install on a different computer. Both instances use the same SRP credentials, and are connected to the same BlackBerry Enterprise Service 10 databases. The primary instance is the active instance that communicates with devices and manages data in the domain. BlackBerry Enterprise Service 10 monitors the health and availability of the primary instance and the standby instance using health parameters with predefined performance thresholds. If the health parameters indicate that the primary instance is not performing as expected (for example, a component is not responding), BlackBerry Enterprise Service 10 initiates an automatic failover of device service to the standby instance. BlackBerry Enterprise Service 10 also verifies that the standby instance is healthy enough to be promoted. The standby instance becomes the new primary instance, and device service continues uninterrupted. The instance that was previously the primary becomes the standby instance. When a failover event occurs, device service fails over to all components on the standby instance, regardless of whether there was an issue with one or several components on the primary instance. Each core component is associated with the BlackBerry Device Service or the Universal Device Service; all of the core components fail over together and use the same primary instance. You can configure as many high availability pairs as your organization’s environment requires. By default, the core components are configured for automatic failover. You have the option to turn off automatic failover, and you can initiate a manual failover at any time. Architecture: High availability for BlackBerry Enterprise Service 10 The following diagram shows an example of a high availability configuration with two high availability pairs: 46 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Component Description Administration consoles The administration consoles are connected to all primary instances and standby instances in the domain. You can install one or several instances of each console. The consoles can be installed on a computer that hosts a primary instance or a standby instance, or on a different computer. 47 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Component Description Primary instance A primary instance is an active instance that communicates with devices and manages data in the domain. Each primary instance consists of the core BlackBerry Enterprise Service 10 components, and is associated with one standby instance. One primary instance in the domain is responsible for the device management role for Android devices and iOS devices. For more information about this role, see Assigning the device management role for Android devices and iOS devices. If a primary instance is not performing as expected, BlackBerry Enterprise Service 10 initiates an automatic failover of device service to the standby instance. Standby instance A standby instance is a back-up server for a primary instance. Each standby instance consists of the same core components as a primary instance, and is associated with one primary instance. When a failover occurs, BlackBerry Enterprise Service 10 verifies that a standby instance is healthy before promoting it to become the primary instance. BlackBerry Enterprise Service 10 databases The BlackBerry Enterprise Service 10 databases are the BlackBerry Configuration Database, associated with the BlackBerry Device Service, and the Management Database, associated with the Universal Device Service. You specify a name for the databases when you install BlackBerry Enterprise Service 10. By default, the name of a new BlackBerry Configuration Database is BDSMgmt. The setup application creates the Management Database and gives it the same name with "_UDS" appended (for example, BDSMgmt_UDS). If you upgrade from a supported product to BlackBerry Enterprise Service 10 version 10.1, the upgraded databases use the name of the existing database. For example, if you upgrade BlackBerry Device Service 6.2 to BlackBerry Enterprise Service 10 version 10.1, and the existing BlackBerry Configuration Database is named CorporateDB, the upgraded BlackBerry Enterprise Service 10 databases are named CorporateDB (BlackBerry Configuration Database) and CorporateDB_UDS (Management Database). Each primary instance and standby instance is connected to the BlackBerry Enterprise Service 10 databases. You can configure high availability for the databases using database mirroring. For more information, see Configuring high availability for BlackBerry Enterprise Service 10 databases. Components that support high availability failover The following BlackBerry Enterprise Service 10 core components support high availability using a failover model. The table below describes the status of each component on the primary instance and on the standby instance. Note that when an automatic or manual failover occurs, the standby instance becomes the new primary instance, and what was previously the primary instance becomes the standby instance. 48 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Component Associated with Status - primary Status - standby Description BlackBerry Controller BlackBerry Device Service Started Started Device service fails over from the primary instance to the standby instance. BlackBerry Dispatcher BlackBerry Device Service Started Started Device service fails over from the primary instance to the standby instance. BlackBerry MDS Connection Service BlackBerry Device Service Started Started Device service fails over from the primary instance to the standby instance. BlackBerry Secure Connect Service Universal Device Started Service Started Device service fails over from the primary instance to the standby instance. BlackBerry Web Services Universal Device Started if Service instance has the device management role Not started The BlackBerry Web Services are started only on the primary instance with the device management role for Android devices and iOS devices. They are not started on other primary instances or standby instances. Not started if instance does not have the device management role BlackBerry Work Connect Notification Service Universal Device Started if Service instance has the device management role Not started if instance does not have the device management role Device service fails over from the primary instance to the standby instance. The BlackBerry Web Services start automatically when device service fails over to the standby instance. Not started The BlackBerry Work Connect Notification Service is started only on the primary instance with the device management role for Android devices and iOS devices. It is not started on other primary instances or standby instances. Device service fails over from the primary instance to the standby instance. 49 Configuration Guide Component Setting up the BlackBerry Enterprise Service 10 domain Associated with Status - primary Status - standby Description The BlackBerry Work Connect Notification Service starts automatically when device service fails over to the standby instance. Communication Module Universal Device N/A Service N/A Exists as a website in Microsoft IIS on both the primary instance and the standby instance. Core Module Universal Device N/A Service N/A Exists as a website in Microsoft IIS on both the primary instance and the standby instance. Enterprise Management Web Service BlackBerry Device Service Not started Device service fails over from the primary instance to the standby instance. Started The Enterprise Management Web Service starts automatically when device service fails over to the standby instance. Scheduler Universal Device Started Service Started On the primary instance, the Scheduler runs in primary mode. On the standby instance, the Scheduler runs in standby (or idle) mode. Components that do not support high availability failover Component Description BlackBerry Administration Service You can install multiple instances to create a BlackBerry Administration Service pool. Data is load balanced across multiple BlackBerry Administration Service instances in the pool. If one instance is not available, the other instances in the pool manage the data. For more information about configuring a BlackBerry Administration Service pool, see Configuring multiple BlackBerry Administration Service instances, and visit docs.blackberry.com/BES10 to read the BlackBerry Enterprise Service 10 Installation Guide. 50 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Component Description Administration Console You can install more than one instance of the Administration Console in a BlackBerry Enterprise Service 10 domain, but only one instance can be active. The first instance that you install is started by default and is the active instance. Additional instances that you install are disabled. If the active Administration Console stops responding, you must restore service, or you can make another instance active (see Change the active Administration Console instance). For more information about installing the Administration Console, visit docs.blackberry.com/BES10 to read the BlackBerry Enterprise Service 10 Installation Guide. BlackBerry Management Studio You can install multiple instances of BlackBerry Management Studio in a domain, but BlackBerry Management Studio does not support failover from a primary instance to a standby instance. For more information about installing BlackBerry Management Studio, visit docs.blackberry.com/BES10 to read the BlackBerry Enterprise Service 10 Installation Guide. BlackBerry Licensing Service You can install more than one instance of the BlackBerry Licensing Service in a domain, but only one instance can be active. The first instance that you install is started by default and is the active instance. Additional instances that you install are disabled. If the active BlackBerry Licensing Service stops responding, you must restore service, or you can make another instance active. If the BlackBerry Licensing Service is not active, you can not activate devices. You must complete the required actions before you make another instance active. For more information about configuring the BlackBerry Licensing Service, visit docs.blackberry.com/BES10 to read the BlackBerry Enterprise Service 10 Licensing Guide. BlackBerry Router The BlackBerry Router does not support failover from a primary instance to a standby instance. BlackBerry Collaboration Service You can install multiple instances to create a BlackBerry Collaboration Service pool. Data is load balanced across multiple BlackBerry Collaboration Service instances in the pool. If one instance is not available, the other instances in the pool manage the data. For more information about installing and configuring the BlackBerry Collaboration Service, visit www.blackberry.com/go/serverdocs to read the 51 Configuration Guide Component Setting up the BlackBerry Enterprise Service 10 domain Description BlackBerry Collaboration Service for the Enterprise IM App Installation and Administration Guide. Health parameters and the availability of BlackBerry Enterprise Service 10 components BlackBerry Enterprise Service 10 uses health parameters to track the overall health and availability of the server components that transfer data and management settings to and from BlackBerry devices, Android devices, and iOS devices. Health parameters track the health of both the primary instance and the standby instance. The parameters indicate whether the server components are working as expected. Each parameter reports the status of a different EMM feature. For example, the wireless network access parameter indicates whether the BlackBerry Dispatcher can access the wireless network. The health of each parameter is based on a predefined performance threshold. If the performance of the server components satisfies this threshold, the parameter is “healthy” and lists a status of available or connected. If the performance of the server components does not satisfy this threshold, the parameter is “unhealthy” and lists a status of not available or not connected. On the primary instance, if any parameter above the failover threshold is unhealthy, device service fails over automatically to the standby instance. On the standby instance, if any parameter above the promotion threshold is unhealthy, device service cannot fail over from the primary instance to the standby instance (the standby instance cannot be promoted to become the primary instance). Health parameters Parameters above the failover threshold (primary) and the promotion threshold (standby) On the primary instance, if any of the following parameters is unhealthy, device service fails over automatically to the standby instance. On the standby instance, if any of the following parameters is unhealthy, device service cannot fail over from the primary instance to the standby instance. Parameter Description Wireless network access This health parameter indicates whether the BlackBerry Dispatcher can access the wireless network. BlackBerry Dispatcher This health parameter indicates whether the BlackBerry Dispatcher can communicate with BlackBerry devices. Enterprise connectivity for BlackBerry devices This health parameter indicates whether the BlackBerry MDS Connection Service can communicate with the other components over HTTP or HTTPS. This does not include connectivity with the local Enterprise Management Web Service. 52 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Parameter Description Connection to the BlackBerry Configuration Database This health parameter indicates whether the components can connect to the BlackBerry Configuration Database (the database associated with the BlackBerry Device Service). BlackBerry Push This health parameter indicates whether the Enterprise Management Web Service can issue HTTP EMA pokes to devices, and whether devices receive HTTP EMA pokes. Management of BlackBerry devices This health parameter indicates whether the BlackBerry MDS Connection Service can communicate with the local Enterprise Management Web Service. Management of iOS and Android devices This health parameter indicates whether the components can deliver management settings to iOS devices and Android devices. Parameters below the failover threshold (primary) and the promotion threshold (standby) The following parameter does not trigger automatic failover from the primary instance to the standby instance, and does not impact the promotion of the standby instance. Description Enterprise connectivity for iOS and Android devices This health parameter indicates whether iOS devices and Android devices can connect to the components. This parameter does not impact failover or promotion because this functionality is load-balanced across every server instance (primary and standby) in the BlackBerry Enterprise Service 10 domain. Prerequisites: Installing a standby instance of the core components • Install a primary instance of the core components. Verify whether this instance is assigned the device management role for Android devices and iOS devices. By default, the setup application assigns this role to the first instance of the core components that you install in the domain, or to the first instance that you upgrade. • Choose a different computer to host the standby instance of the core components. Verify that this computer meets the appropriate system requirements. • When you install the standby instance, use the same service account that you used to install the primary instance, or a service account with the same permissions. 53 Configuration Guide • Setting up the BlackBerry Enterprise Service 10 domain It is a best practice to upgrade all BlackBerry 10 devices in your organization's environment to BlackBerry 10 OS version 10.1 or later. If device service fails over to the standby instance, you can continue to use the consoles to manage BlackBerry devices only if the devices use BlackBerry 10 OS version 10.1 or later. If the devices use an earlier version of the BlackBerry 10 OS or the BlackBerry PlayBook OS, the devices cannot connect to the Enterprise Management Web Service of the new primary instance (formerly the standby instance). As a result, you cannot manage the devices from the consoles until you perform one of the following actions: • Manually fail over device service back to the initial primary instance. • Move the user account and any associated devices to another high availability pair in the domain. • Activate the devices again. Related information Assigning the device management role for Android devices and iOS devices, 44 Install a standby instance of the core components When you install a standby instance of the core components, the setup application associates the components on the standby instance with the components on the primary instance. You can view and change settings for the standby components using the BlackBerry Administration Service. 1. Log in to the computer that you want to install the standby instance on using a service account with the correct permissions. The service account runs the BlackBerry Enterprise Service 10 services. 2. In the BlackBerry Enterprise Service 10 installation files, double-click setup.exe. If a Windows message appears and requests permission for setup.exe to make changes to the computer, click Yes. 3. Review the Windows account information that will be used to install the standby instance. Click Continue Installation. 4. In the License agreement dialog box, perform the following actions: • In the Customer information section, specify information for your organization and select your country or region. • In the License agreement section, read the license agreement. Select I accept the terms of the license agreement. • Click Next. 5. In the Setup type dialog box, select Use an existing BlackBerry Enterprise Service 10 domain. 6. Click Next. 7. In the Database information dialog box, perform the following actions: 54 • In the Microsoft SQL Server name field, type the name of the computer that hosts the database server. • In the Database name field, type the name of the BlackBerry Configuration Database that is associated with the primary instance. • If you configured the database server to use static ports, select the Static option. If the static port number is not 1433, in the Port field, type the port number. Configuration Guide 8. 9. Setting up the BlackBerry Enterprise Service 10 domain • By default, the setup application uses Windows authentication to connect to the BlackBerry Enterprise Service 10 databases. If you select Microsoft SQL Server authentication, specify login information for a Microsoft SQL Server account. • Click Next. In the Setup options dialog box, perform the following actions: • Select Install the BlackBerry Enterprise Service 10 core components. • Select Install the BlackBerry Enterprise Service 10 core components as a standby instance and associate it with a primary instance for high availability. In the drop-down list, click the primary instance. • Click Next. In the Preinstallation checklist dialog box, read and verify the information. Click Next. 10. In the Accounts and folders dialog box, in the Password field, type the password for the service account that you used in step 1. 11. Click Next. 12. In the Summary dialog box, verify that the information is correct. Click Install. 13. When the installation process completes, click Next. 14. In the Core Module Information dialog box, if necessary, change the port numbers in the Website information section and Port settings section. Click Next. 15. In the Communication Module information dialog box, if necessary, change the port number in the Website information section. Click Next. 16. In the Finalize installation dialog box, the setup application finishes installation tasks and the BlackBerry Enterprise Service 10 services start automatically. When all the services are running, click Next. Note: The BlackBerry Web Services, BlackBerry Work Connect Notification Service, and the Enterprise Management Web Service do not start automatically. These services are designed to start after device service fails over to the standby instance. 17. In the Console addresses dialog box, click Finish. By default, the setup application exports the BlackBerry Enterprise Service 10 web addresses to a .txt file. By default, the primary instance is configured to fail over automatically if any of the health parameters above the failover threshold become unhealthy. For automatic failover to succeed, on the standby instance, the health parameters above the promotion threshold must be healthy. Note: If you change the listening port for Microsoft SQL Server to a custom port, and you update the port value on the primary instance using the BES10 Configuration Tool, the standby instance is not updated with the new port value and cannot connect to Microsoft SQL Server. After you finish: • Restart the computer that hosts the primary instance. • Restart the computer that hosts the standby instance. 55 Configuration Guide • Setting up the BlackBerry Enterprise Service 10 domain If you have additional primary instances in your domain and you want to configure additional high availability pairs, repeat this task as required. Post-installation tasks Perform the following tasks, as required, after you install a standby instance. Instructions can be found in the appropriate sections of the BlackBerry Enterprise Service 10 Configuration Guide. • If you want to manage iOS devices in your organization's domain, you must obtain an APNs certificate and upload it to the primary instance and the standby instance. • If the domain will support work space-enabled iOS devices, enable the Secure Work Space and configure the standby instance to support email notifications. • If necessary, specify the same proxy mappings for the BlackBerry MDS Connection Service and Enterprise Management Web Service on the primary instance and the standby instance. • Using the BlackBerry Administration Service, you can change the log file path for any instance of the core components in the domain. If you change the log file path for one instance in a high availability pair, for consistency, you can change the log file path for the other instance. Note: If you uninstall a high availability pair, and then you install new instances that will use the same databases, the setup application tries to install the second instance of the core components as a standby instance. If you do not want the setup application to install the second instance as a standby, use the BlackBerry Administration Service to remove the high availability pair from the databases before you install the new instances. Fail over device service manually By default, the primary instance is configured to fail over automatically if any of the health parameters above the failover threshold become unhealthy. If the primary instance of the BlackBerry Enterprise Service 10 components is not running as expected, or if you want to perform maintenance activities on the primary instance, you can manually fail over device service to the standby instance. Before you begin: Verify that the standby instance is running. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand High availability > Highly available instances. 2. Click the appropriate high availability pair. 3. In the High availability actions list, click Manual failover. 4. In the Select Standby Instance section, select the standby instance that you want device service to fail over to. 5. Click Yes – Failover to standby instance. After you finish: See Tasks to perform after an automatic or manual failover. 56 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Switch the primary and standby instances You can switch the primary instance in a high availability pair to a standby instance at any time. For example, you may want to stop device service on the primary instance for a short period of time while you complete maintenance activities. When both instances in a high availability pair are standby instances, device service is not active on either instance. When you complete your maintenance activities, you can choose which standby instance you want to promote to become the primary instance. You need to complete some additional configuration if you choose to promote the original standby instance to become the new primary instance. Before you begin: Verify that the standby instance is running. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand High availability > Highly available instances. 2. Click the appropriate high availability pair. 3. In the High availability actions list, click Change primary instance to standby instance. 4. Click Yes – Change instance to standby instance. 5. If necessary, perform any maintenance activities that are required. 6. In the High availability actions list, click Change standby instance to primary instance. 7. In the Select Standby Instance section, select the standby instance that you want to promote to become the primary instance. 8. Click Change instance to primary instance. After you finish: If you chose to promote the original standby instance to become the new primary instance, see Tasks to perform after an automatic or manual failover. Tasks to perform after an automatic or manual failover When an automatic failover occurs or you initiate a manual failover, you can choose to manually fail over device service back to the initial primary instance after you resolve the issue, or you can have device service continue indefinitely on the new primary instance (formerly the standby instance). If the failover occurs in a high availability pair that is assigned the device management role for Android devices and iOS devices, and you want device service to continue indefinitely on the new primary instance (the standby instance), you must complete an additional task so that you can continue to manage Android devices and iOS devices using the Administration Console. See Configure the Administration Console to connect to the new primary instance. If you plan to manually fail over device service back to the initial primary instance, you do not have to complete this task. For more information about the device management role, see Assigning the device management role for Android devices and iOS devices. Note: If a failover occurs in a high availability pair that is assigned the device management role for Android devices and iOS devices, BlackBerry Management Studio cannot connect to the new primary instance (the standby instance) that is 57 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain assigned the role. As a result, you cannot manage Android devices and iOS devices from BlackBerry Management Studio unless you manually fail over device service back to the initial primary instance. A workaround is available if you want to configure BlackBerry Management Studio to connect to the new server instance with the device management role. To learn more about the workaround, visit www.blackberry.com/go/kbhelp to read article KB34319. Configure the Administration Console to connect to the new primary instance The Administration Console must connect to the primary instance that is assigned the device management role for Android devices and iOS devices. If you assign this role to a different primary instance or high availability pair, or if a failover occurs in a high availability pair that is assigned the role (and you want device service to continue on the standby instance), you must connect the Administration Console to the new primary instance that is assigned the role. 1. On the computer that hosts the active Administration Console, navigate to :\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\RIM.BUDS.Gui\webapps\ROOT\WEB-INF\classes. 2. In a text editor, open config.properties. 3. Locate mdm.restServer=:, where is the FQDN of the initial primary instance, and is the port that the Administration Console uses to connect to that computer. For example, mdm.restServer=https:// SERVER1.TESTNET.RIM.NET:9081. 4. Change to the FQDN of the computer that hosts the new primary instance with the device management role. 5. If necessary, change to the port that the Administration Console uses to connect to the computer that hosts the new primary instance. The default port number is 9081. If you upgraded Universal Device Service 6.x to BlackBerry Enterprise Service 10 version 10.1 or later, the default port number is 8081. 6. Save and close the file. After you finish: In the Windows Services, restart the BES10 - Administration Console service. Turn off automatic failover By default, the primary instance is configured to fail over automatically if any of the health parameters above the failover threshold become unhealthy. You have the option to turn off automatic failover for a high availability pair. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand High availability > Highly available instances. 2. Click the appropriate high availability pair. 3. In the High availability actions list, click Turn off automatic BlackBerry Enterprise Service 10 failover. After you finish: To turn on automatic failover, in the High availability actions list, click Turn on automatic BlackBerry Enterprise Service 10 failover. 58 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Change the active Administration Console instance You can install more than one instance of the Administration Console in a BlackBerry Enterprise Service 10 domain, but only one instance can be active. The first instance that you install is started by default and is the active instance. Additional instances that you install are disabled. If the active Administration Console stops responding, or if you want to stop the Administration Console to perform maintenance activities, you can restore service by making another instance active. Before you begin: If necessary, on the computer that hosts the active Administration Console, in the Windows Services, stop the BES10 - Administration Console service. Change the startup type for the service from Automatic to Disabled. 1. On the computer that hosts a disabled Administration Console that you want to make active, you must configure the Administration Console to connect to the primary instance that is assigned the device management role for Android devices and iOS devices. For more information about this role, see Assigning the device management role for Android devices and iOS devices. For instructions to complete this task, see Configure the Administration Console to connect to the new primary instance. 2. On the computer that hosts the disabled Administration Console that you want to make active, in the Windows Services, change the startup type for the BES10 – Administration Console service to Automatic. 3. Start the BES10 – Administration Console service. Monitoring a high availability configuration Check the status of a high availability pair You can use the BlackBerry Administration Service to check the status of a high availability pair, including the health parameters of the primary instance and the standby instance. The availability column indicates whether an instance is currently serving as the primary instance or as the standby instance; this information is collected from the BlackBerry Enterprise Service 10 databases. The failover status column indicates whether the instance is running as expected and the current role of the instance (primary or standby); this information is collected from the BlackBerry Enterprise Service 10 components in real time. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand High availability. 2. Click High availability summary. 3. In the Host Instance Name section, click the name of a high availability pair. 4. To view the status of the health parameters for the primary instance, in the last column for the primary instance, click More. 5. To view the status of the health parameters for the standby instance, in the last column for the standby instance, click More. 59 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain After you finish: • If you want to keep the status information on-screen, and you want the page to refresh automatically every 30 seconds, in the System status section, click Refresh page automatically. This option turns off when you navigate to another page in the BlackBerry Administration Service. • If you uninstall the standby instance in a high availability pair, the standby instance will still display on this status screen with the health parameters listed as Not available or Not connected. Related information Health parameters, 52 View information about the last automatic failover 1. In the BlackBerry Administration Service, on the Servers and components menu, expand High availability > High availability instances. 2. Click a high availability pair. 3. If an automatic failover occurred, in the System status section, the Failover time field displays the date and time that the failover occurred, and the Failover reason field displays the cause of the failover. After you finish: To clear this information, click Clear failover time and reasons. 60 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Configuring high availability for BlackBerry Enterprise Service 10 databases You can use database mirroring to configure high availability for the BlackBerry Enterprise Service 10 databases. Database mirroring is a Microsoft SQL Server feature that allows you to retain database service and data integrity if issues occur with the databases in the BlackBerry Enterprise Service 10 domain. Database mirroring is supported for both the BlackBerry Configuration Database (associated with the BlackBerry Device Service) and the Management Database (associated with the Universal Device Service). When you configure database mirroring, you set up a principal database and a mirror database. The databases are hosted on different computers and in different instances of Microsoft SQL Server. After you install the principal database on the principal server, you back up the principal database and use the backup files to create the mirror database on a different computer (the mirror server). You then configure a mirroring relationship between the two databases. When a mirroring session is active, the mirror database performs the same actions and stores the same data as the principal database. You must configure the databases to use high-safety mode with automatic failover. In high-safety mode, the databases run synchronously. The mirror database synchronizes with the principal database as quickly as possible, and when the databases are synchronized, any changes are committed on both databases. To enable automatic failover, you set up a witness server to monitor the principal server. If the principal database stops responding, the witness initiates automatic failover to the mirror database. The BlackBerry Enterprise Service 10 components connect to the mirror database, and device service continues without interruption. A role switch occurs: the mirror database becomes the principal database, and the database that was previously the principal is now the mirror database. Role switching can occur several times over the course of a mirroring session. To learn more about database mirroring, visit technet.microsoft.com/sqlserver to read Database Mirroring - SQL Server 2008 R2 or Database Mirroring - SQL Server 2012. Database mirroring for both BlackBerry Enterprise Service 10 databases 61 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain If you want to set up database mirroring, you must configure database mirroring for both the BlackBerry Configuration Database (associated with the BlackBerry Device Service) and for the Management Database (associated with the Universal Device Service). Configuring mirroring for both databases keeps data management consistent in the event of a failover, and prevents unnecessary errors. When you install BlackBerry Enterprise Service 10, you install the BlackBerry Configuration Database and the Management Database on the same computer, in the same instance of Microsoft SQL Server. These are your principal databases, located on the principal server. You must create the mirror databases on the same computer (the mirror server), in the same instance of Microsoft SQL Server. You then configure the BlackBerry Enterprise Service 10 components to connect to the mirror server so that they can fail over to the mirror databases if necessary. You configure one witness server to monitor the principal server and initiate automatic failover if one of the principal databases stops responding. System requirements: Database mirroring Item Requirement BlackBerry Enterprise Service 10 databases Database mirroring is supported for both BlackBerry Enterprise Service 10 databases: 62 Configuration Guide Item Setting up the BlackBerry Enterprise Service 10 domain Requirement • BlackBerry Configuration Database (BlackBerry Device Service) • Management Database (Universal Device Service) If you want to use database mirroring, you must configure it for both databases. Create the mirror databases on the same computer (the mirror server), in the same instance of Microsoft SQL Server. Microsoft SQL Server Configure database mirroring using a version of Microsoft SQL Server that BlackBerry Enterprise Service 10 supports. To view the compatibility matrix, visit www.blackberry.com/go/compatibility. Verify that your organization’s version of Microsoft SQL Server supports database mirroring. Operating mode Configure database mirroring using high-safety mode with automatic failover. Witness A witness server is required for automatic failover. The witness should be a different server instance than the principal server and the mirror server. For more information, see Database Mirroring Witness – SQL Server 2008 R2 or Database Mirroring Witness – SQL Server 2012. Location of databases Create the mirror database on a different computer than the principal database. Version parity The Microsoft SQL Server that hosts the mirror database should be the same version and edition as the Microsoft SQL Server that hosts the principal database. Prerequisites: Configuring database mirroring • Configure the principal server and the mirror server to permit access from remote computers. • Configure the principal server and the mirror server to have the same permissions. • Set up a witness server that you will use to monitor the principal server. For more information, see Database Mirroring Witness – SQL Server 2008 R2 or Database Mirroring Witness – SQL Server 2012. • Configure the Microsoft SQL Server Agent to use a domain user account with the same local administrative permissions as the Windows account that runs the BlackBerry Enterprise Service 10 services. • Verify that the domain user account has permissions for both the principal server and the mirror server. • Verify that the DNS server is running. • If you configured high availability for BlackBerry Enterprise Service 10 components, change the failover type from automatic to manual until you configure database mirroring. • Configure the principal server and the mirror server to use static port 1433 only. 63 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain • On the computers that host the BlackBerry Enterprise Service 10 components, in the Microsoft SQL Server Native Client, turn off the Named Pipes option. • To review additional prerequisites for your organization’s version of Microsoft SQL Server, visit technet.microsoft.com/ sqlserver to read Database Mirroring - SQL Server 2008 R2 or Database Mirroring - SQL Server 2012. Configuring database mirroring Stop the BlackBerry Enterprise Service 10 services To maintain database integrity, you must stop the BlackBerry Enterprise Service 10 services while you configure database mirroring. It is a best practice to perform this task when device activity is low because BlackBerry device service is interrupted when you stop the services. On each computer that hosts BlackBerry Enterprise Service 10 components, in the Windows Services, stop the services in the order listed: Database Services BlackBerry Configuration Database • BES10 - BlackBerry Administration Service - Application Server • BES10 - BlackBerry Administration Service - Native Code Container • BES10 - Enterprise Management Web Service • BES10 - BlackBerry Collaboration Service (optional component) • BES10 - BlackBerry MDS Connection Service • BES10 - BlackBerry Dispatcher • BES10 - BlackBerry Controller • BES10 - BlackBerry Licensing Service • BES10 - BlackBerry Management Studio • BES10 - Administration Console • BES10 - BlackBerry Web Services • BES10 - Scheduler • BES10 - BlackBerry Work Connect Notification Service • BES10 - BlackBerry Secure Connect Service • BES10 - BlackBerry Licensing Service • BES10 - BlackBerry Management Studio Management Database After you finish: Configure database mirroring. 64 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Configure database mirroring The following instructions apply to Microsoft SQL Server 2008 R2 and Microsoft SQL Server 2012. The steps might be different based on your organization’s version of Microsoft SQL Server. Configure database mirroring for the BlackBerry Configuration Database first, and then configure database mirroring for the Management Database. Before you begin: Visit technet.microsoft.com/sqlserver to read Database Mirroring - SQL Server 2008 R2 or Database Mirroring - SQL Server 2012. 1. In Microsoft SQL Server Management Studio, browse to the principal database. 2. Change the Recovery Model property to FULL. 3. In the query editor, run the -- ALTER DATABASE SET TRUSTWORTHY ON query, where is the name of the principal database (for example, BESMgmt). 4. Back up the principal database. Change the Backup type option to Full. 5. Copy the backup files to the mirror server. 6. On the mirror server, restore the database to create the mirror database. When you restore the database, select the NO RECOVERY option. 7. Verify that the name of the mirror database matches the name of the principal database. 8. On the principal server, in Microsoft SQL Server Management Studio, right-click the principal database and select the Mirror task. On the Mirroring page, click Configure Security to launch the Configure Database Mirroring Security wizard. 9. Start the mirroring process. For more information, see Setting up Database Mirroring – SQL Server 2008 R2 or Setting Up Database Mirroring – SQL Server 2012. 10. To enable automatic failover, add a witness to the mirroring session. For more information, see Database Mirroring Witness – SQL Server 2008 R2 or Database Mirroring Witness – SQL Server 2012. After you finish: • After you configure database mirroring for the BlackBerry Configuration Database, configure database mirroring for the Management Database. • To verify that failover works correctly, manually fail over service to the mirror database and back to the principal database. Restart the BlackBerry Enterprise Service 10 services After you configure database mirroring for the BlackBerry Configuration Database and the Management Database, restart the BlackBerry Enterprise Service 10 services. On each computer that hosts BlackBerry Enterprise Service 10 components, in the Windows Services, start the services in the order listed: 65 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Database Services BlackBerry Configuration Database • BES10 - BlackBerry Dispatcher • BES10 - BlackBerry Controller • BES10 - BlackBerry MDS Connection Service • BES10 - BlackBerry Collaboration Service (optional component) • BES10 - BlackBerry Administration Service - Application Server • BES10 - BlackBerry Administration Service - Native Code Container • BES10 - Enterprise Management Web Service • BES10 - BlackBerry Licensing Service • BES10 - BlackBerry Management Studio • BES10 - Administration Console • BES10 - BlackBerry Web Services • BES10 - Scheduler • BES10 - BlackBerry Licensing Service • BES10 - BlackBerry Secure Connect Service • BES10 - BlackBerry Licensing Service • BES10 - BlackBerry Management Studio Management Database After you finish: Configure BlackBerry Enterprise Service 10 to support database mirroring. Configuring BlackBerry Enterprise Service 10 to support database mirroring After you start a mirroring session, you must configure the BlackBerry Enterprise Service 10 components to connect to the mirror server. Configure BlackBerry Enterprise Service 10 components to support database mirroring Before you begin: • It is a best practice to perform this task when device activity is low because device service is interrupted when you restart the computers that host the BlackBerry Enterprise Service 10 components. • 1. 66 Verify that the mirror server is running. On the computer that hosts the core BlackBerry Enterprise Service 10 components, on the Start menu, click Run. Configuration Guide 2. Type regedit. Click OK. 3. Perform the following actions: Setting up the BlackBerry Enterprise Service 10 domain Action Steps Configure database mirroring support for BlackBerry Device Service components 1. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node \Research In Motion\BlackBerry Enterprise Service\Database. 2. Right-click the FailoverServerMachineName value and click Modify. In the Value data field, type the name of the mirror sever. 3. Click OK. Configure database mirroring support for Universal Device Service components 1. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node \Research In Motion\Universal Device Service\Setup\Components\DB. 2. Right-click the FailoverServerMachineName value and click Modify. In the Value data field, type the name of the mirror server. 3. Click OK. 4. Repeat steps 1 to 3 on any other computer that hosts BlackBerry Enterprise Service 10 components. 5. On the computer that hosts the core BlackBerry Enterprise Service 10 components, browse to :\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\Core. 6. To decrypt the section of the web.config file that you need to change, in the command line, execute the following command (change the installation file path if necessary): %Windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pdf "appSettings" "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\Core" 7. In a text editor, open the web.config configuration file. 8. In the section, add the following attribute to the double-quotes after value=: Failover Partner=, where is the name of the mirror server. Example: After you finish: Restart the computer that hosts the core BlackBerry Enterprise Service 10 components, and any other computer that hosts BlackBerry Enterprise Service 10 components. Configuring a new mirror database If you configure a new mirror database after a role switch has occurred (the BlackBerry Enterprise Service 10 components failed over to the existing mirror database and the existing mirror database became the principal database), you must update the registry settings and web.config file on the computers that host the BlackBerry Enterprise Service 10 components. See Configure BlackBerry Enterprise Service 10 components to support database mirroring. 67 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Using gatekeeping to control which devices can access Microsoft ActiveSync You can configure Microsoft Exchange to block devices from using Microsoft ActiveSync unless the devices are explicitly added to an allowed list in Microsoft Exchange. Using gatekeeping in BlackBerry Enterprise Service 10 lets you control which devices are added to the allowed list. When a device is added to the allowed list, a user can access work email and other information on the device. To use gatekeeping for iOS and Android devices, you need to create a Microsoft ActiveSync configuration in the Universal Device Service. To use gatekeeping for BlackBerry devices, you need to create a Microsoft ActiveSync configuration in the Universal Device Service and you need to turn on gatekeeping in the BlackBerry Device Service. When a user activates an iOS or Android device, and the device is compliant with your organization's security policies, the Universal Device Service pushes a Microsoft ActiveSync email profile to the device and automatically adds the device to the allowed list in Microsoft Exchange. If the Universal Device Service does not support the type of device, or if the device does not comply with the security policies of your organization, the device is not added to the allowed list in Microsoft Exchange. Instead, the device appears in the Universal Device Service console on the Microsoft Exchange Connections list. You can manually add devices from the Microsoft Exchange Connections list to the allowed list. When a user activates a BlackBerry device, the device is automatically added to the allowed list in Microsoft Exchange. For existing users, you need to reassign the email profile to manually add the devices to the allowed list. If you remove the email profile from the user account the device is removed from the allowed list. Configure Microsoft Exchange permissions for gatekeeping To use Microsoft ActiveSync gatekeeping in BlackBerry Enterprise Service 10, you must configure management roles in Microsoft Exchange Server 2010 with the correct permissions to manage mailboxes and client access for Microsoft ActiveSync. To perform this task you must be a Microsoft Exchange administrator with the appropriate permissions to create and change management roles. Before you begin: On the computer that hosts Microsoft Exchange, create an account and mailbox to manage gatekeeping in BlackBerry Enterprise Service 10 (for example, BES10Admin). You must specify the login information for this account when you create a Microsoft ActiveSync configuration in the Universal Device Service console. 1. On a computer that hosts the Microsoft Exchange Management Shell, open the Microsoft Exchange Management Shell. 2. Type New-ManagementRole -Name "" -Parent "Mail Recipients". Press ENTER. 3. Type New-ManagementRole -Name "" -Parent "Organization Client Access". Press ENTER. 68 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain 4. Type Get-ManagementRoleEntry "\*" | Where {$_.Name -ne "Get-ADServerSettings"} | RemoveManagementRoleEntry. Press ENTER. 5. Type Get-ManagementRoleEntry "\*" | Where {$_.Name -ne "Get-CasMailbox"} | RemoveManagementRoleEntry. Press ENTER. 6. Type Add-ManagementRoleEntry "\Get-ActiveSyncDeviceStatistics" -Parameters Mailbox. Press ENTER. 7. Type Add-ManagementRoleEntry "\Get-ActiveSyncDevice" -Parameters Identity. Press ENTER. 8. Type Add-ManagementRoleEntry "\Set-CasMailbox" -Parameters Identity, ActiveSyncBlockedDeviceIDs, ActiveSyncAllowedDeviceIDs. Press ENTER. 9. Type New-RoleGroup "" -Roles "", "". Press ENTER. 10. Type Add-RoleGroupMember -Identity "" -Member "BES10Admin". Press ENTER. Configure Microsoft IIS permissions for gatekeeping BlackBerry Enterprise Service 10 uses Windows PowerShell commands to manage the list of allowed devices in Microsoft Exchange. To use gatekeeping, you need to configure Microsoft IIS permissions. Perform the following actions on the computer that hosts the Microsoft client access server role. 1. Open the Microsoft Internet Information Services (IIS) Manager. 2. In the left pane, expand the server. 3. Expand Sites > Default Web Site. 4. Right click the PowerShell folder. Select Edit Permissions. 5. Click on the Security tab. Click Edit. 6. Click Add and enter the that was created when you configured the Microsoft Exchange permissions for gatekeeping. 7. Click OK. 8. Confirm that Read & execute, List folder contents, and Read are selected. Click OK. 9. Select the PowerShell folder. Double-click the Authentication icon. 10. Select Windows Authentication. Click Enable. 11. Close the Microsoft Internet Information Services (IIS) Manager. 69 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Create a Microsoft ActiveSync configuration in the Universal Device Service You can create a Microsoft ActiveSync configuration so that devices that are managed by BlackBerry Enterprise Service 10 and comply with your organization's security policies can connect to the Microsoft Exchange Server. Before you begin: • Configure Microsoft Exchange permissions for gatekeeping • Configure Microsoft IIS permissions for gatekeeping • Confirm that Microsoft Exchange is configured to block unauthorized devices from accessing Microsoft ActiveSync. Devices for existing users that are not explicitly added to the allowed list in Microsoft Exchange are blocked until they are allowed by the Universal Device Service. 1. In the Universal Device Service console, in the menu bar, click Settings. 2. In the left pane, beside Exchange ActiveSync, click the + icon. 3. In the Server host name field, type the name of the Microsoft Exchange Server that you want to manage access to. 4. In the Authentication type drop-down list, select the type of authentication that is used on the Microsoft Exchange Server. 5. Type the username and password for the Microsoft Exchange account that you created to manage Microsoft ActiveSync gatekeeping. 6. Select Use SSL to enable SSL authentication between the Universal Device Service and the Microsoft Exchange Server. Optionally, select additional certificate checks. 7. In the Proxy type drop-down list, select the type of proxy configuration, if any, that is used between the Universal Device Service and the Microsoft Exchange Server. 8. If you selected a proxy configuration in the previous step, select the authentication type that is used on the proxy server, and type the username and password. 9. Click Test Connection to verify that the connection is successful. After you finish: Turn on Microsoft ActiveSync gatekeeping for BlackBerry devices Test a Microsoft ActiveSync configuration Test a Microsoft ActiveSync configuration to verify that the Universal Device Service can use this configuration to connect to the Microsoft Exchange Server. Before you begin: Create or edit a Microsoft ActiveSync configuration. 1. In the Universal Device Service console, in the menu bar, click Settings. 2. Click the Microsoft ActiveSync configuration. 70 Configuration Guide 3. Setting up the BlackBerry Enterprise Service 10 domain Click Test Connection. The results of the test are displayed in the console and are for the values that are currently entered in the Microsoft ActiveSync configuration fields. Block an iOS device or Android device from accessing Microsoft ActiveSync You can manually block a previously allowed device from accessing Microsoft ActiveSync to prevent a user from retrieving email messages and other information from the Microsoft Exchange Server on the device. Before you begin: Create a Microsoft ActiveSync configuration. 1. In the Universal Device Service console, on the menu bar, click Microsoft Exchange Connections. 2. Search for a device. 3. In the Status column, click Block. Allow an iOS device or Android device access to Microsoft ActiveSync You can manually allow a device to access Microsoft ActiveSync so that a user can retrieve email messages and other information from the Microsoft Exchange Server on the device. Before you begin: Create a Microsoft ActiveSync configuration. 1. In the Universal Device Service console, in the menu bar, click Microsoft Exchange Connections. 2. Search for a device. 3. In the Status column, click Allow. Verify that an iOS device or Android device is allowed You can verify that a device is allowed by looking at the device details. 1. In the Universal Device Service console, search for a user account. 2. In the search results, click the name of a user account. 3. Select the tab for the device that you want to verify. 4. In the Microsoft ActiveSync section, if the device is allowed, Approved connection is displayed below the email address. Turn on Microsoft ActiveSync gatekeeping for BlackBerry devices Before you begin: Create a Microsoft ActiveSync configuration in the Universal Device Service 71 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Turn on gatekeeping in the BlackBerry Device Service so that users’ BlackBerry smartphones and BlackBerry PlayBook tablets are automatically allowed to use Microsoft ActiveSync. 1. In the BlackBerry Device Service console, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view. 2. Click Enterprise Management Web Service. 3. Click Turn on Microsoft ActiveSync gatekeeping. 4. Click Yes - Turn on Microsoft ActiveSync gatekeeping. After you finish: Reassign the email profile to existing users. 72 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Monitoring BlackBerry Enterprise Service 10 components You can use third-party SNMP tools to monitor the activity of certain BlackBerry Enterprise Service 10 components. SNMP monitoring requires an SNMP service and an SNMP management tool. You run the SNMP service on the computers that host the BlackBerry Enterprise Service 10 components. The SNMP service, located in the Windows Services, includes an SNMP agent that collects data from the components. You can use the SNMP management tool to request data from the SNMP agent, or the SNMP agent can send a trap message to the SNMP management tool when the components meet specific conditions. The conditions that the SNMP agent monitors are determined by the MIB of the BlackBerry Enterprise Service 10. The MIB is a database that defines and describes the variables and management data of BlackBerry Enterprise Service 10 components, including what each SNMP trap value represents. The MIB determines the types of data the SNMP service can collect about the components. When you configure SNMP monitoring, you use the SNMP management tool to compile the MIB. You use the SNMP management tool (for example, an MIB browser) to view and analyze the data that is received from the SNMP agent. The SNMP management tool typically includes an SNMP trap management tool that is used to retrieve and interpret trap messages from the SNMP agent. The SNMP management tool can be installed on the computer that hosts the BlackBerry Enterprise Service 10 components or on a separate computer. By default, the SNMP management tool displays the OID of a condition, which is a sequence of integers that identify a class value in a class hierarchy. All SNMP OIDs and SNMP traps for the BlackBerry Enterprise Service 10 begin with a class value of 1.3.6.1.4.1.3530.7. Each OID value is uniquely identified by a suffix (for example, 25.1.1). The BlackBerry Enterprise Service 10 provides different OID values for specific messaging servers. Supported SNMP operations You can use SNMP operations to collect data from the SNMP agents that run on the computers that host BlackBerry Enterprise Service 10 components. The BlackBerry Enterprise Service 10 supports the following SNMP operations: Operation Description Get Retrieves the value for a specific MIB item. Get next Retrieves the value and OID of items in the order that they appear in the MIB file. Trap Sends SNMP trap messages from the SNMP agent to the SNMP trap management tool. SNMP trap messages contain data about specific actions that the BlackBerry Enterprise Service 10 components perform. 73 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain System requirements: SNMP monitoring Item Requirement Supported BlackBerry Enterprise Service 10 components You can configure SNMP monitoring for the following BlackBerry Enterprise Service 10 components: • BlackBerry Controller • BlackBerry Dispatcher • BlackBerry Router • BlackBerry MDS Connection Service • Scheduler The other BlackBerry Enterprise Service 10 components do not support SNMP monitoring. Network access The computer that hosts the SNMP management tool, or a standalone SNMP trap management tool, must be able to access and receive data from the computers that host the BlackBerry Enterprise Service 10 components. SNMP management tool Install the SNMP management tool on a computer that hosts a BlackBerry Enterprise Service 10 component, or on a separate computer. If the SNMP management tool does not include an MIB compiler, install an MIB compiler on the computer that hosts the tool. If you want the SNMP service to send trap messages to report on server activity, verify that the SNMP management tool includes an SNMP trap management tool. Alternatively, you can install a standalone SNMP trap management tool on a computer that hosts a BlackBerry Enterprise Service 10 component, or on a separate computer. SNMP service On the computers that host the BlackBerry Enterprise Service 10 components, install an SNMP service that includes an SNMP agent and SNMP trap service. An SNMP service is available in most versions of Windows. For more information, visit http://support.microsoft.com/. SNMP service settings On the computers that host the BlackBerry Enterprise Service 10 components, in the Windows Services, configure the following SNMP service settings: • 74 A valid SNMP community name Configuration Guide Item Setting up the BlackBerry Enterprise Service 10 domain Requirement • A minimum of read-only permission for the SNMP community • The IP addresses or names of the computers that the SNMP service can accept SNMP data from Configuring SNMP monitoring Verify the Registry settings for the SNMP agent The SNMP agent is the component of the SNMP service that receives requests from and sends data to the SNMP management tool. If you install the SNMP service on a computer after you install the BlackBerry Enterprise Service 10 components, you must verify that the settings for the SNMP agent exist in the Windows Registry. 1. On the Start menu, click Run. 2. Type regedit. Click OK. 3. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Research In Motion\BlackBerry Enterprise Service \Monitoring Service\SNMPAgent\CurrentVersion. 4. For the PathName string value, verify that value data is \Monitoring Service\dll \BMSI_SNMP_Agent32.dll. If the PathName string value does not exist, or the value data does not match the specified value, add the string value and the value data as necessary. 5. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\ExtensionAgents. 6. For the RIM.SNMPAgent32 string value, verify that the value data is SOFTWARE\Research In Motion\BlackBerry Enterprise Service\Monitoring Service\SNMPAgent\CurrentVersion. If the RIM.SNMPAgent32 string value does not exist, or the value data does not match the specified value, add the string value and the value data as necessary. After you finish: • If you created or changed any of the string values, in the Windows Services, restart the SNMP service. • Repeat this task on each computer that hosts a BlackBerry Enterprise Service 10 component that you want to monitor. Compile the MIB and configure the SNMP management tool To enable your organization’s SNMP monitoring software to monitor the BlackBerry Enterprise Service 10 components, you must use the SNMP management tool to compile the MIB of the BlackBerry Enterprise Service 10. If the tool does not include an MIB compiler, install an MIB compiler on the computer that hosts the tool. Before you begin: Read the documentation for the SNMP management tool to learn how to use the tool to compile an MIB. 75 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain 1. On the computer that hosts the BlackBerry Enterprise Service 10, browse to \Monitoring Service \bin. The MIB file is named BLACKBERRYENTERPRISESERVICEMIB-SMIV2.mib. 2. Use the SNMP management tool (or the MIB compiler that you installed separately) to compile BLACKBERRYENTERPRISESERVICEMIB-SMIV2.mib. After you finish: Read the documentation for the SNMP management tool to learn how to configure the tool to receive data from the SNMP service. Configuring SNMP traps The SNMP service can use trap messages to report on the activity of BlackBerry Enterprise Service 10 components. The SNMP agent sends trap messages to an SNMP trap management tool. You can use the SNMP trap management tool that is included with your organization’s SNMP management tool, or you can install and configure a standalone SNMP trap management tool. If you use a standalone SNMP trap management tool, verify that the SNMP trap service is not running on the computers that host the BlackBerry Enterprise Service 10 components. Configure the SNMP service to send trap messages If you want the SNMP service to send trap messages to an SNMP trap management tool on a separate computer, you must specify where you want the SNMP service to send the trap messages. Before you begin: On the computers that host the BlackBerry Enterprise Service 10 components, verify that the SNMP service is running. On the computer that hosts a BlackBerry Enterprise Service 10 component that you want to monitor, in the Windows Services, change the following settings for the SNMP service: • For SNMP traps, specify the community name. • For SNMP trap destinations, type the IP address or name of the computer that hosts the SNMP trap management tool. After you finish: • Repeat this task on each computer that hosts a BlackBerry Enterprise Service 10 component that you want to monitor. • If you use a standalone SNMP trap management tool, verify that the SNMP trap service is not running on the computers that host the BlackBerry Enterprise Service 10 components. Troubleshooting Error binding to Trap Port (162), it may already be in use Description This error message might appear when you start a standalone SNMP trap management tool. 76 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Possible solution 1. On the computer that hosts the BlackBerry Enterprise Service 10 component that you want to monitor, stop the SNMP trap service. 2. Restart the standalone SNMP trap management tool. 77 Configuration Guide Setting up the BlackBerry Enterprise Service 10 domain Restarting BlackBerry Enterprise Service 10 components When you complete certain administrative tasks, you must restart one or more BlackBerry Enterprise Service 10 components using the Windows Services. Restarting one component To restart one BlackBerry Enterprise Service 10 component at a time, you can use the restart functionality in the Windows Services. Restarting all components To restart all of the BlackBerry Enterprise Service 10 components, you must stop and start the components in a specific order. Stop the components in the following order: 1. BlackBerry Controller 2. BlackBerry Dispatcher 3. All remaining components Start the components in the following order: 1. BlackBerry Dispatcher 2. BlackBerry Controller 3. All remaining components 78 3 Setting up BlackBerry Device Service components Before you can activate and manage BlackBerry 10 devices and BlackBerry PlayBook tablets, you may need to configure some BlackBerry Device Service components so that they can run in your organization's environment. You can configure BlackBerry Administration Service pools, configure a proxy server, configure how data is pushed to devices, and more. Configuration Guide Setting up BlackBerry Device Service components Changing the security settings of the BlackBerry Administration Service The BlackBerry Administration Service is a web application that you can use to manage the user accounts and devices that are associated with a BlackBerry Device Service instance. You can manage user accounts and assign groups, administrative roles, software configurations, profiles, and IT policies to user accounts. Configuring Microsoft Active Directory authentication in an environment that includes a resource forest If your organization's environment includes a resource forest that is dedicated to running Microsoft Exchange, you can configure Microsoft Active Directory authentication for BlackBerry device users that have user accounts that are located in trusted account forests. If a resource forest exists in your organization's environment, you must install BlackBerry Enterprise Service 10 in the resource forest. In the resource forest, you create a mailbox for each user account and associate the mailboxes with the user accounts. When you associate the mailboxes in the resource forest with user accounts in the account forests, the user accounts obtain full access to the mailboxes and the user accounts in the account forests are connected to the Microsoft Exchange server. To authenticate users who log in to the BlackBerry Administration Service, the BlackBerry Administration Service must read the user information that is stored in the global catalog servers that are part of the resource forest. To configure the BlackBerry Administration Service to authenticate user accounts that are associated with mailboxes in the resource forest, you must create a Microsoft Active Directory account for the BlackBerry Administration Service that is located in a Windows domain that is part of the resource forest. During the installation process, you provide the Windows domain, username, and password for the Microsoft Active Directory account, and, if required, the names of the global catalog servers that the BlackBerry Administration Service can use. You can change the Windows domain, username, and password for the Microsoft Active Directory account and global catalog servers after the installation process completes. For more information, visit technet.microsoft.com to read Using a Dedicated Exchange forest. Changing password settings for BlackBerry Administration Service authentication If you use BlackBerry Administration Service authentication, you can change the minimum password length and the date when passwords expire. By default, the minimum password length is four characters and a password expires after 365 80 Configuration Guide Setting up BlackBerry Device Service components days. If you change the minimum password length, administrators that use passwords that do not meet the new minimum length are not required to change the passwords until the passwords expire. Change password settings for BlackBerry Administration Service authentication 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view. 2. Click BlackBerry Administration Service. 3. Click Edit component. 4. In the Security settings section, change the minimum password length and number of days until the password expires. 5. Click Save all. Regenerate the system credentials for the BlackBerry Administration Service The setup application generates the system credentials for the BlackBerry Administration Service during the installation process. The BlackBerry Administration Service uses the system credentials when it communicates with the BlackBerry Device Service components. If you suspect that the system credentials are compromised, you can generate new system credentials on the database server. Before you begin: Verify that you have database owner permissions for the BlackBerry Configuration Database. 1. On each computer that hosts a BlackBerry Administration Service instance, in the Windows Services, stop the BlackBerry Administration Service services. 2. On the database server, in the BlackBerry Configuration Database, run the following SQL statement: DELETE from BASTraits WHERE PlugInId=8 AND TraitId=0. 3. On each computer that hosts a BlackBerry Administration Service instance, in the Windows Services, start the BlackBerry Administration Service services. 81 Configuration Guide Setting up BlackBerry Device Service components Configuring multiple BlackBerry Administration Service instances If you install multiple BlackBerry Administration Service instances, you can configure a BlackBerry Administration Service pool to send requests to available instances and to avoid a single point of failure. When you install the first BlackBerry Administration Service instance in a BlackBerry Enterprise Service 10 domain, the default name of the BlackBerry Administration Service pool is the FQDN of the computer that you perform the installation on. If you want to configure a BlackBerry Administration Service pool after the installation process completes, you must change the name of the BlackBerry Administration Service pool. You can configure only one BlackBerry Administration Service pool in a BlackBerry Enterprise Service 10 domain. If you want to configure a BlackBerry Administration Service pool using DNS round robin, you must change the pool name to the DNS name that maps to the IP address of each computer that hosts a BlackBerry Administration Service instance. You must also change the pool name if you changed the DNS name that maps to each BlackBerry Administration Service instance. If you want to configure a BlackBerry Administration Service pool using a hardware load balancer, you must change the pool name to the DNS name of the load balancer. Change the name of the BlackBerry Administration Service pool When you change the name of the BlackBerry Administration Service pool, you must synchronize all BlackBerry Administration Service instances with the pool name in the BlackBerry Configuration Database. Before you begin: If you want to configure a BlackBerry Administration Service pool using DNS round robin, create the DNS records that represent the BlackBerry Administration Service instances in the pool, where each DNS record contains the IP address of an instance. 1. On a computer that hosts a BlackBerry Administration Service instance, open the BES10 Configuration Tool. If a Windows message appears and requests permission to make changes to the computer, click Yes. 2. On the BlackBerry Administration Service Pool tab, in the Pool name field, type the new pool name. 3. Click OK. 4. In the Windows Services, restart the BlackBerry Administration Service services. 5. On a computer that hosts another BlackBerry Administration Service instance, open the BES10 Configuration Tool. If the BES10 Configuration Tool is already open, close it and then open it again. 6. 82 On the BlackBerry Administration Service Pool tab, click Synchronize. Configuration Guide Setting up BlackBerry Device Service components 7. Click OK. 8. In the Windows Services, restart the BlackBerry Administration Service services. 9. Repeat steps 5 to 8 for each BlackBerry Administration Service instance in the pool. After you finish: Import the SSL certificate again to use the new pool name that you specified. See Import a new SSL certificate into the web keystores. 83 Configuration Guide Setting up BlackBerry Device Service components Configuring the BlackBerry Administration Service to use a proxy server To meet the security requirements of your organization's environment, you can configure the BlackBerry Administration Service to select and authenticate (if necessary) with a proxy server. Configuring proxy selection for the BlackBerry Administration Service You can configure the BlackBerry Administration Service to select a proxy server either manually or automatically. To configure manual proxy selection, you can use one of the following tools: • Network Shell Utility (netsh.exe) with Windows Server 2008 or Windows Server 2012 (32-bit netsh.exe only) • Windows Internet Explorer To configure automatic proxy selection, you can use one of the following methods: • Enable the Web Proxy Autodiscovery Protocol using the BlackBerry Enterprise Trait Tool • Specify a URL for a PAC file using Windows Internet Explorer Use the Network Shell Utility to configure manual proxy selection Depending on the operating system on the computer that hosts the BlackBerry Administration Service, you can use the Network Shell Utility (netsh.exe) to select a proxy server manually. You must configure manual proxy selection for all of the computers that host a BlackBerry Administration Service instance. The Network Shell Utility stores the proxy server settings in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections \WinHttpSettings registry key. You must run the Network Shell Utility as an administrator. The Network Shell Utility works with Windows Server 2008 and Windows Server 2012 (32-bit netsh.exe only). For more information about the Network Shell Utility, visit technet.microsoft.com and search for netsh.exe. Use Windows Internet Explorer to configure manual proxy selection 1. On a computer that hosts a BlackBerry Administration Service instance, log in using the Windows account that runs the BlackBerry Administration Service services. 2. Open Windows Internet Explorer. 3. Click Tools > Internet Options. 84 Configuration Guide 4. On the Connections tab, click LAN settings. 5. Select Use a proxy server for your LAN. 6. In the Address field, type the address for the proxy server. 7. In the Port field, type the port number for the proxy server. 8. Click OK. 9. Click OK again. Setting up BlackBerry Device Service components Windows Internet Explorer stores the settings for the proxy server in the HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Internet Settings registry key. After you finish: Repeat this task on each computer that hosts a BlackBerry Administration Service instance. Use the Web Proxy Autodiscovery Protocol to configure automatic proxy selection You can use the BlackBerry Enterprise Trait Tool to configure the BlackBerry Administration Service to use the Web Proxy Autodiscovery Protocol to select a proxy server automatically. The Web Proxy Autodiscovery Protocol uses DHCP and DNS to find a PAC file. Perform this task on any computer that hosts a BlackBerry Administration Service instance. Note: If the proxy server authenticates using HTTP basic authentication, the Web Proxy Autodiscovery Protocol file must be on a computer that is separate from the proxy server and use Windows authentication or anonymous authentication. 1. On a computer that hosts a BlackBerry Administration Service instance, in the BlackBerry Enterprise Service 10 installation files, navigate to the tools folder and run TraitTool.exe as an administrator. 2. Type traittool -global -trait BASIsProxyWPADOptionEnabled -set 1. After you finish: • To clear the current settings for the Web Proxy Autodiscovery Protocol, type traittool -global -trait BASIsProxyWPADOptionEnabled -erase. • To turn off the Web Proxy Autodiscovery Protocol, type traittool -global -trait BASIsProxyWPADOptionEnabled -set 0. Use Windows Internet Explorer and a PAC file to configure automatic proxy selection Note: If the proxy server authenticates using HTTP basic authentication, the PAC file must be on a computer that is separate from the proxy server and use Windows authentication or anonymous authentication. Before you begin: Obtain the URL for the PAC file. 1. On a computer that hosts a BlackBerry Administration Service instance, log in using the Windows account that runs the BlackBerry Administration Service services. 2. Open Windows Internet Explorer. 3. Click Tools > Internet Options. 85 Configuration Guide 4. On the Connections tab, click LAN settings. 5. Select Use automatic configuration script. 6. In the Address field, type the URL for the PAC file. 7. Click OK. 8. Click OK again. Setting up BlackBerry Device Service components After you finish: Repeat this task on each computer that hosts a BlackBerry Administration Service instance. Configuring the BlackBerry Administration Service to authenticate with a proxy server If your organization's proxy server requires authentication, you must configure the BlackBerry Administration Service to authenticate with the proxy server. If the proxy server uses Windows authentication, you must configure the proxy server to authenticate the Windows account that runs the BlackBerry Administration Service services. You use the BlackBerry Enterprise Trait Tool to configure the username and password for HTTP basic authentication. You must specify the credentials for each BlackBerry Administration Service instance. Configure the BlackBerry Administration Service to use HTTP basic authentication You use the BlackBerry Enterprise Trait Tool to configure the BlackBerry Administration Service to use HTTP basic authentication to authenticate with a proxy server. HTTP basic authentication requires a username and password for authentication. 1. On a computer that hosts a BlackBerry Administration Service instance, in the BlackBerry Enterprise Service 10 installation files, navigate to the tools folder and run TraitTool.exe as an administrator. 2. Type traittool -BASServer -trait BASProxyBasicAuthUID -set , where is the name of the computer that hosts the BlackBerry Administration Service instance and is the username (for example, [email protected] or blackberry.com\user01) for the computer. 3. Type traittool -BASServer -trait BASProxyBasicAuthPassword -set , where is the name of the computer that hosts the BlackBerry Administration Service instance and is the password for the computer. After you finish: Repeat this task on each computer that hosts a BlackBerry Administration Service instance. Delete credentials for HTTP basic authentication 1. On a computer that hosts a BlackBerry Administration Service instance, in the BlackBerry Enterprise Service 10 installation files, navigate to the tools folder and run TraitTool.exe as an administrator. 2. Type traittool -BASServer -trait BASProxyBasicAuthUID -erase, , where is the name of the computer that hosts the BlackBerry Administration Service instance. 86 Configuration Guide 3. Setting up BlackBerry Device Service components Type traittool -BASServer -trait BASProxyBasicAuthPassword -erase, where is the name of the computer that hosts the BlackBerry Administration Service instance. After you finish: Repeat this task on each computer that hosts a BlackBerry Administration Service instance. 87 Configuration Guide Setting up BlackBerry Device Service components Connect to an SMTP server to send email notifications to users To allow the BlackBerry Administration Service to send email notifications to users, you must connect it to an SMTP server. For example, to send users activation email messages, you must configure SMTP server settings. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand Notification settings. 2. Click SMTP configuration. 3. Click Edit settings. 4. In the Sender configuration section, in the Sender address field, type the email address that you want the BlackBerry Administration Service to send system messages or activation passwords from. 5. In the SMTP server information section, in the SMTP server URL field, type the host name for the SMTP server. 6. In the SMTP server port field, type the SMTP server port number. 7. In the Supported encryption method value, select the encryption type you want to apply to the device activation. 8. If the SMTP server requires authentication, in the User name field, type the SMTP server login name. Type and confirm the SMTP server password. 9. Click Save all. 10. If your organization's environment does not allow anonymous access to your SMTP server, you must import the SSL certificate for the SMTP server: a. Copy the SSL certificate for your organization's SMTP server to the computer that you are using. b. Click Import SMTP certificate. c. Browse to the SSL certificate file and click Import SMTP certificate. d. On all computers that host BlackBerry Administration Service instances, in the Windows Services, restart the BlackBerry Administration Service services. Create an activation email message to test the SMTP You can create an activation email message to confirm that the SMTP settings are correct and that your activation email message meets your organization's requirements. 1. 88 In the BlackBerry Administration Service, on the Servers and components menu, expand Notification settings. Configuration Guide Setting up BlackBerry Device Service components 2. Click SMTP configuration. 3. Click Send test email message. 4. In the Email address field, specify the email address you would like to send the activation email message to. 5. In the Display name field, specify the name that displays in the email message. 6. In the Server address field, specify the server address for the email address you are using to send the activation email message. 7. Type an activation password and an expiration date for the password. 8. Click Send test email message. 89 Configuration Guide Setting up BlackBerry Device Service components Creating a shared network folder for distributing apps to devices You can use the BlackBerry Device Service to install and manage work apps in the work space on devices. Work apps can only access work data and interact with other work apps. A work app can be either an internal app or a public app available from the BlackBerry World storefront. You can add an internal app to the BlackBerry Device Service by specifying the .bar file using the BlackBerry Administration Service. The BlackBerry Device Service then adds the internal app to your organization’s shared network folder. You can specify the internal work apps that you want to install, update, or remove, and you can specify whether internal apps are required or optional on devices. You can also specify the BlackBerry device models that support an internal app so that the app is installed only on compatible devices. If you specify that an app is required, the app is automatically installed on the device and the user cannot remove it. When you configure required and optional apps for devices using the BlackBerry Device Service, the BlackBerry Device Service adds the apps to the shared network folder that you specified (:\\AppLoader). The BlackBerry Administration Service must access the shared network folder to store application files and install apps on devices. Do not add application files directly to the shared network folder or make changes to the files that the BlackBerry Administration Service stores in the shared network folder. You also use the shared network folder to store the work space wallpaper that the BlackBerry Device Service sends to devices, and to store trusted root and server certificates that the BlackBerry Device Service sends to devices so that the devices can trust server certificates when making connections to work networks and servers. Work space wallpaper is stored in :\\Shared\Wallpapers and certificates are stored in the appropriate folder in :\\Shared\Certificates. This guide provides instructions for how to create and specify the shared network folder that you want the BlackBerry Administration Service to use to store and distribute apps. For more information about using the BlackBerry Administration Service to distribute apps to BlackBerry devices, visit docs.blackberry.com/BES10 to read the BlackBerry Device Service Advanced Administration Guide. Specify a shared network folder When you add the shared network folder location to the BlackBerry Administration Service, the folders for apps, wallpaper, and certificates are created automatically in the shared network folder. Before you begin: • Create a shared network folder on the network that hosts the BlackBerry Device Service. This shared network folder must not be located in :\Program Files (x86)\Common Files\Research In Motion. If you configure a BlackBerry Administration Service pool, ensure that all BlackBerry Administration Service instances have access to the shared network folder location. All instances in a pool use the same shared network location. 90 Configuration Guide Setting up BlackBerry Device Service components • Verify that the service account for the BlackBerry Administration Service Application Server has write permissions for the shared network folder. • Verify that the computer that hosts the BlackBerry Device Service has read and write access to the shared network folder. The BlackBerry Device Service requires write access to the shared network folder when apps are published. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view. 2. Click BlackBerry Administration Service. 3. Click Edit component. 4. In the Network drive section, in the BlackBerry Administration Service shared network drive field, type the path of the shared network folder using the following format: \\\ The shared network path must be typed in UNC format (for example, \\ComputerName\Applications\Testing). 5. Click Save all. After you finish: Back up the shared network folder. 91 Configuration Guide Setting up BlackBerry Device Service components Configuring how data is pushed to devices The BlackBerry MDS Connection Service connects apps on BlackBerry devices to push applications. Push applications are hosted on an organization's application servers or web servers, and are capable of pushing data to apps on devices. For more information about push applications, see the developer documentation at at https://developer.blackberry.com. You can configure push initiators and push rules that define which push applications can send application data and updates to devices, and which users can receive push requests. You can also use the BlackBerry MDS Connection Service to control the flow of data that is sent to devices. Managing the flow of data can minimize the amount of data that is sent over the wireless network and help to reduce the impact of pushing data to devices that are out of network coverage, turned off, or otherwise unavailable. Configuring the BlackBerry MDS Connection Service and the Enterprise Management Web Service to use a proxy server You can configure the BlackBerry MDS Connection Service and the Enterprise Management Web Service to route data through a proxy server. Use a proxy method that is consistent with the method that other applications and servers in your organization use to access web content. Configure the BlackBerry MDS Connection Service and the Enterprise Management Web Service to use a PAC file You can configure the BlackBerry MDS Connection Service and the Enterprise Management Web Service to use a proxy auto-configuration (PAC) file to locate and route data through the appropriate proxy server. Both components support the use of only one PAC file. 1. In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > BlackBerry Device Service. 2. Click the instance that you want to change. 3. Click Edit instance. 4. On the Proxy mappings tab, in the Universal resource locator field, type the regular expression for the web address that you want this proxy mapping to control. The default entry matches all URLs. 5. If the proxy server requires authentication, in the Credentials section, type the user name and password of an administrator account that has permission to access the proxy server. 6. In the Proxy type drop-down list, perform one of the following actions: 92 Configuration Guide Setting up BlackBerry Device Service components • To detect the PAC file automatically, click AUTO. The PAC file must be stored on the local network and must use an http or https URL. • To specify the location of the PAC file, click PAC. In the Proxy string field, type the proxy server name, port number, and location of the PAC file using the following format: :// . For example: http://bbsproxy.bbs.testnet.company.net:8081/pac/proxy.pac. 7. Click the Add icon for the proxy item. If you add more than one proxy item, use the Up and Down icons to set the priority of the proxy items. 8. Click the Add icon for the web address. If you add more than one web address, use the Up and Down icons to set the priority of the web addresses. 9. Click Save all. Configure the BlackBerry MDS Connection Service and the Enterprise Management Web Service to use a proxy server You can configure the BlackBerry MDS Connection Service and the Enterprise Management Web Service to route data directly through a proxy server. You can also configure connections to certain web addresses to bypass a proxy server. 1. In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > BlackBerry Device Service. 2. Click the instance that you want to change. 3. Click Edit instance. 4. On the Proxy mappings tab, in the Universal resource locator field, type the regular expression for the web address that you want this proxy mapping to control. The default entry matches all URLs. 5. If the proxy server requires authentication, in the Credentials section, type the user name and password of an administrator account that has permission to access the proxy server. 6. In the Proxy type drop-down list, perform one of the following actions: • To specify a proxy server, click PROXY. In the Proxy string field, type the proxy server name and port number using the following format: :. • If you want data directed to the specified web address to bypass the proxy server, click DIRECT. 7. Click the Add icon for the proxy item. If you add more than one proxy item, use the Up and Down icons to set the priority for the proxy items. 8. Click the Add icon for the web address. If you add more than one web address, use the Up and Down icons to set the priority for the web addresses. 9. Click Save all. 93 Configuration Guide Setting up BlackBerry Device Service components Specifying a BlackBerry MDS Connection Service as a central push server At least one BlackBerry MDS Connection Service in your organization's BlackBerry Enterprise Service 10 domain must act as a central push server. Central push servers receive content push requests from server-side applications that are located on an application server or on a web server. Central push servers also manage push requests and send application data and application updates to BlackBerry device applications. It is recommended that at least two BlackBerry MDS Connection Service instances exist in a BlackBerry Enterprise Service 10 domain. If two instances exist, by default, both instances are central push servers. If more than two BlackBerry MDS Connection Service instances exist in a domain, you can specify the instances that you want to act as central push servers. Specify a BlackBerry MDS Connection Service as a central push server You can specify more than one BlackBerry MDS Connection Service in your organization's BlackBerry Enterprise Service 10 domain as a central push server. By default, if one or two BlackBerry MDS Connection Service instances exist in the domain, those instances are central push servers. 1. In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service. 2. Click the instance that you want to change. 3. Click Edit instance. 4. In the General section, in the Is centralized push server drop-down list, click Yes. 5. Click Save all. After you finish: • Notify your organization's push application developers that you have specified a new central push server. Restricting the push application content that users can receive By default, a BlackBerry MDS Connection Service sends push requests from server-side push applications to applications on BlackBerry devices. BlackBerry devices can receive application data and application updates without users requesting the content. You can configure your organization's environment so that only specific server-side push applications can send push requests to BlackBerry devices. You can turn on push authentication to prevent a BlackBerry MDS Connection Service from sending push requests from unauthorized push initiators, and create push initiators that permit specific server-side applications to send push requests to BlackBerry devices. For more information about push applications, see the developer documentation at at https://developer.blackberry.com. 94 Configuration Guide Setting up BlackBerry Device Service components Restrict push applications from sending data to BlackBerry devices You can turn on push authentication to permit only authenticated push applications to send push requests to applications on BlackBerry devices. 1. In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service. 2. Click the instance that you want to change. 3. On the Instance information tab, click Edit instance. 4. In the Access control section, in the Push authentication options, click Yes. 5. Click Save all. After you finish: To authenticate and permit specific server-side push applications to send push requests to BlackBerry devices, create push initiators. Create push initiators for push applications When push authentication is turned on, every server-side push application has to authenticate with the BlackBerry MDS Connection Service for a push request. You can specify authentication credentials by creating a push initiator account. You can configure several server-side push applications to use the same push initiator (that is, to use the same authentication password) if your organization's development environment permits it. Verify that the authorization HTTP header in push requests from server-side push applications matches the name and password that you specify for the push initiator. Before you begin: Turn on push authentication for the appropriate instances of the BlackBerry MDS Connection Service. 1. In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view. 2. Click MDS Connection Service. 3. Click Edit component. 4. On the Push initiators tab, in the Name field, type the name of the server-side application that you want to permit to send push requests to BlackBerry devices. 5. In the Credentials field, type the password for the server-side push application. 6. Click the Add icon. 7. Click Save all. After you finish: Create a push initiator for each server-side push application that you want to permit to send push requests to BlackBerry devices. 95 Configuration Guide Setting up BlackBerry Device Service components Encrypt push requests that push applications send to BlackBerry devices You can configure a BlackBerry MDS Connection Service to use SSL or TLS to encrypt the push requests that server-side push applications send to BlackBerry devices. By default, the BlackBerry MDS Connection Service does not encrypt the push requests that server-side push applications send. 1. In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service. 2. Click the instance that you want to change. 3. On the Instance information tab, click Edit instance. 4. In the Access control section, in the Push encryption drop-down list, click Yes. 5. Click Save all. Managing push application requests The BlackBerry MDS Connection Service receives push application requests from server-side push applications and sends the requests to applications on BlackBerry devices. You can control how the BlackBerry MDS Connection Service processes, stores, and sends push application requests. For more information about push applications, see the developer documentation at at https://developer.blackberry.com. Store push application requests in the BlackBerry Configuration Database To manage memory and system resources in your organization's environment, you can configure a BlackBerry MDS Connection Service to store PAP and BlackBerry push requests in the BlackBerry Configuration Database. You can also configure storage settings for the BlackBerry Configuration Database. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service. 2. Click the instance that you want to change. 3. On the Instance information tab, click Edit instance. 4. In the Push access protocol section, in the Store push submissions drop-down list, click Yes. 5. Click Save all. After you finish: Configure the settings for storing push requests in the BlackBerry Configuration Database. Configure the settings for storing push requests in the BlackBerry Configuration Database To manage your organization's system resources, you can configure storage settings for push requests that are stored in the BlackBerry Configuration Database. 96 Configuration Guide Setting up BlackBerry Device Service components 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view. 2. Click MDS Connection Service. 3. Click Edit component. 4. In the Push message settings section, in the Maximum number of push messages stored field, type the number of push requests that you want the BlackBerry Configuration Database to store. 5. In the Maximum push message age field, type the maximum length of time, in minutes, that you want the BlackBerry Configuration Database to store a push request before the request is deleted from the BlackBerry Configuration Database. 6. Click Save all. Configure the maximum number of active connections that a BlackBerry MDS Connection Service can process You can configure the maximum number of push connections that a BlackBerry MDS Connection Service can process at the same time. The BlackBerry MDS Connection Service queues the push connections that exceed this limit. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service. 2. Click the instance that you want to configure active connections for. 3. Click Edit instance. 4. In the Push access protocol section, in the Maximum number of active connections field, type a number. 5. Click Save all. Configure the maximum number of queued connections that a BlackBerry MDS Connection Service can process The BlackBerry MDS Connection Service queues push connections when the number of connections exceeds a limit that you specify. You can configure the maximum number of push connections that a BlackBerry MDS Connection Service can queue. The BlackBerry MDS Connection Service sends a "service unavailable" message to BlackBerry devices when the number of pending push connections in the queue exceeds the limit. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service. 2. Click the instance that you want to configure the maximum number of queued connections for. 3. Click Edit instance. 4. In the Push access protocol section, in the Maximum number of queued connections field, type a number. 5. Click Save all. 97 Configuration Guide Setting up BlackBerry Device Service components Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices You can configure various BlackBerry MDS Connection Service settings if you find that the performance of the BlackBerry MDS Connection Service isn't optimal for your organization’s network. You should only perform the following tasks if the BlackBerry MDS Connection Service is experiencing slow performance or to resolve port conflicts on the computer that hosts the BlackBerry MDS Connection Service. If possible, you should verify your changes in a test environment before implementing them in a production environment. Change the thread pool size of a BlackBerry MDS Connection Service If the performance of the BlackBerry MDS Connection Service isn’t optimal, you can change the maximum number of threads that the BlackBerry MDS Connection Service can process at the same time. By default, the BlackBerry MDS Connection Service processes 400 threads. When you change the thread pool size, you impact how much system memory the BlackBerry MDS Connection Service requires to process the operations it performs. Before you begin: Verify that your system memory can support the thread pool size that you want to specify. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service. 2. Click the instance that you want to specify the thread pool size for. 3. Click Edit instance. 4. On the General tab, in the Socket connection settings section, in the Thread pool size field, type a number between 100 and 1000. 5. Click Save all. Change the maximum number of scalable socket connections If the performance of the BlackBerry MDS Connection Service isn’t optimal, you can change the maximum number of scalable socket connections that can be open at the same time between BlackBerry devices and the BlackBerry MDS Connection Service. By default, 15,000 connections are available. When you change the number of connections, you impact how much system memory and how many ports BlackBerry MDS Connection Service uses to maintain its connections with devices and how many devices can connect to the BlackBerry MDS Connection Service at one time. Before you begin: Verify that your system memory can support the number of scalable socket connections that you want to specify. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service. 2. Click the instance that you want to specify the maximum number of scalable socket connections for. 3. On the General tab, click Edit instance. 98 Configuration Guide 4. Setting up BlackBerry Device Service components In the Socket connection settings section, in the Maximum simultaneous scalable sockets field, type a number between 100 and 20000. By default, the maximum number of scalable socket connections is 15000. 5. Click Save all. Specify the port number that the web server listens on for push application requests You can specify the port number that the web server listens on for HTTP requests and HTTPS requests from server-side push applications. You should change the default port parameters only if a port conflict exists with another service on the same computer. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service. 2. Click the instance that you want to specify the port number for. 3. Click Edit instance. 4. 5. On the General tab, in the Connection section, perform one of the following actions: • To specify the port for HTTP requests, in the Web server listen port field, type the port number. • To specify the port for HTTPS requests, in the Web server SSL listen port field, type the port number. Click Save all. After you finish: • Restart the BlackBerry MDS Connection Service. • Notify your organization's push application developers that you changed the port number that the web server listens on for push application requests. Change how often a BlackBerry MDS Connection Service polls for configuration information By default, the BlackBerry MDS Connection Service checks the BlackBerry Configuration Database every 5 minutes to see if you have made any updates to its configuration settings or to software configurations using the BlackBerry Administration Service. You can change the default if your organization’s policies require the BlackBerry MDS Connection Service to implement updates at a different interval. If you configure the BlackBerry MDS Connection Service to check for updates more frequently, you might notice a performance impact. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service. 2. Click the instance that you want change. 3. Click Edit instance. 99 Configuration Guide Setting up BlackBerry Device Service components 4. On the General tab, in the Database section, in the Database admin configuration cycle timer field, type a number, in minutes. 5. Click Save all. Permitting push applications to make trusted connections to a BlackBerry MDS Connection Service To permit push applications to make trusted connections to a BlackBerry MDS Connection Service, you must create the webserver.keystore file on the computer that hosts the BlackBerry MDS Connection Service. This keystore stores the BlackBerry MDS Connection Service certificate and permits a BlackBerry MDS Connection Service to accept HTTPS connections from push applications. Push applications can use a BlackBerry MDS Connection Service certificate to open HTTPS connections to the BlackBerry MDS Connection Service to push application data and application updates to the BlackBerry devices that are assigned to that BlackBerry MDS Connection Service. Push applications can use the self-signed certificate that is generated when you create the keystore or you can use the Java keytool to add a signed certificate from a trusted public CA to the keystore. You must use the Java keytool to export the BlackBerry MDS Connection Service certificate from the keystore and import the certificate to the keystores that the Java push applications use. For more information about using the Java keytool, visit java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html. For more information about the requirements, visit tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html. Create a keystore to store certificates for use with HTTPS connections You must create the webserver.keystore file to store the certificates that permit the BlackBerry MDS Connection Service to accept HTTPS connections from push applications. Only one keystore can exist. You create the keystore by specifying a password for the keystore in the BES10 Configuration Tool. When you create the keystore, a self-signed certificate is generated and stored in the webserver.keystore file. The webserver.keystore file is created in :\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\MDS\webserver. 1. On the computer that hosts the BlackBerry MDS Connection Service, open the BES10 Configuration Tool. If a Windows message appears and requests permission to make changes to the computer, click Yes. 2. On the BlackBerry MDS tab, specify the information for your organization and type and confirm a new password for the keystore file. 3. Click Apply. 4. If you receive a prompt to replace the existing keystore file, click Yes. 5. Click OK. Add a certificate for the BlackBerry MDS Connection Service If you want server-side push applications to use a publicly signed certificate when they open trusted HTTPS connections to a BlackBerry MDS Connection Service and push application data and application updates to BlackBerry devices, you can add a CA certificate for the BlackBerry MDS Connection Service to the webserver.keystore file. 100 Configuration Guide Setting up BlackBerry Device Service components 1. On the computer that hosts the BlackBerry MDS Connection Service, in the command prompt, navigate to : \Program Files (x86)\Java\\bin. 2. Type Keytool -import -trustcacerts -alias tomcat -file -keystore webserver.keystore. 3. Type the keystore password. 4. When you receive a prompt, type YES. 5. Copy the keystore file to :\Program Files (x86)\Research In Motion\BlackBerry Enterprise Sevice 10\MDS \webserver. After you finish: Export the certificate for the BlackBerry MDS Connection Service to make it available to other applications. Export the BlackBerry MDS Connection Service certificate to make it available to push applications You must export the certificate for the BlackBerry MDS Connection Service so that you can import it to the keystore of a server-side push application. Before you begin: Create a keystore to store the certificate for use with HTTPS connections. If you want push applications to use a publicly signed certificate when they open HTTPS connections, add a CA certificate to a BlackBerry MDS Connection Service. 1. On the computer that hosts the BlackBerry MDS Connection Service, in the command prompt, navigate to : \Program Files (x86)\Java\\bin. 2. Type keytool -export -alias tomcat -file -keystore :\Program Files (x86)\Research In Motion \BlackBerry Enterprise Service 10\MDS\webserver\webserver.keystore -storepass . 3. Type the keystore password. After you finish: Import the certificate for the BlackBerry MDS Connection Service to the keystore of a push application. Import the BlackBerry MDS Connection Service to the keystore of a push application To permit a server-side push application to open trusted connections to the BlackBerry MDS Connection Service, you must add the certificate for the BlackBerry MDS Connection Service to the keystore of the push application. 1. On the computer that hosts the BlackBerry MDS Connection Service, in the command prompt, navigate to : \Program Files (x86)\Java\\bin. 2. Type keytool -import -trustcacerts -alias -file -keystore . 3. Type the keystore password. 4. To add the certificate to the keystore, at the prompt, type Yes. After you finish: If the certificate does not exist, import the certificate to :\Program Files (x86)\Java\ \lib\security\cacerts. 101 Configuration Guide Setting up BlackBerry Device Service components Disaster recovery planning for the BlackBerry Device Service To prepare for disaster recovery, you must make sure that you have a backup of the BlackBerry Configuration Database and the shared network folder. The BlackBerry Administration Service stores files such as application files and certificates in this folder on the shared network drive. You can use these backup files to restore the BlackBerry Device Service if issues occur. Backing up the BlackBerry Configuration Database You should back up the BlackBerry Configuration Database so that you can restore it if the database server is not available. You can use the backup and restore tools that are a part of Microsoft SQL Server to back up and, if necessary, restore the BlackBerry Configuration Database. For more information, see the Microsoft documentation for Microsoft SQL Server. Back up the shared network folder The shared network folder contains the application files and certificates that the BlackBerry Administration Service uses. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view. 2. Click BlackBerry Administration Service. 3. In the Network drive section, verify the shared network folder that the BlackBerry Administration Service uses. 4. On the computer that hosts the BlackBerry Administration Service, navigate to the location of the shared network folder. 5. Copy the shared network folder and save it to a different location (for example, another computer on your organization's network). Restore the BlackBerry Device Service You can restore a BlackBerry Device Service instance to the same computer or a different computer in your organization's environment. 102 Configuration Guide Setting up BlackBerry Device Service components 1. If necessary, restore the BlackBerry Configuration Database. You can use the backup and restore tools that are part of Microsoft SQL Server. For more information, see the Microsoft documentation for Microsoft SQL Server. 2. If necessary, restore the shared network folder. If you restore the shared network folder to a different location, you must update the location in the BlackBerry Administration Service. For more information, see Specify a shared network folder. 3. Perform one of the following tasks: Task Steps Restore a BlackBerry Device Service instance to the same computer or a computer with the same FQDN as the computer that previously hosted the BlackBerry Device Service instance 1. Install the BlackBerry Device Service and specify the same name for the BlackBerry Device Service instance. For more information about installing the BlackBerry Device Service, see the BlackBerry Enterprise Service 10 Installation Guide. Restore a BlackBerry Device Service instance to a different computer 1. Install the BlackBerry Device Service and specify a new name for the BlackBerry Device Service instance. For more information about installing the BlackBerry Device Service, see the BlackBerry Enterprise Service 10 Installation Guide. 2. Move user accounts from the old BlackBerry Device Service instance to the new BlackBerry Device Service instance. For more information, see the BlackBerry Device Service Advanced Administration Guide. 3. To remove the old BlackBerry Device Service component information from the BlackBerry Configuration Database, perform the following actions: a In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain. b Click Component view. c Click the Delete icon beside the old BlackBerry Device Service instance. d Click Yes - Delete the instance and wait until you are returned to the main page. 103 4 Setting up Universal Device Service components Before you can activate and manage iOS devices and Android devices, you may need to configure some Universal Device Service components so that they can run in your organization's environment. You can configure connections to proxy servers, configure SMTP server settings, and more. Configuration Guide Setting up Universal Device Service components Connecting the BlackBerry Secure Connect Service to the BlackBerry Infrastructure through a TCP proxy server When you use BlackBerry Enterprise Service 10 to activate and manage iOS and Android devices, the BlackBerry Secure Connect Service connects directly to the BlackBerry Infrastructure. To satisfy your organization’s security standards and firewall rules, you can configure the BlackBerry Secure Connect Service to connect to the BlackBerry Infrastructure by routing data through a TCP proxy server. A TCP proxy server is an optional, third-party software component that functions as a middle-man for data that passes between the BlackBerry Secure Connect Service and the BlackBerry Infrastructure. A TCP proxy server is typically used to manage how a company sends data to external sources and receives data from those sources. Authentication with the TCP proxy server is not supported. The TCP proxy server can be transparent or non-transparent. A transparent proxy server does not change a request or response. A non-transparent proxy server can change a request or response to provide added service. Configure the BlackBerry Secure Connect Service to connect to the BlackBerry Infrastructure through a TCP proxy server 1. In the Administration Console, on the menu bar, click Settings. 2. In the left pane, click Secure Connect Service. 3. Select the Enable TCP proxy check box. 4. In the Server name or IP address field, type the FQDN or IP address of the TCP proxy server. 5. In the Port number field, type the port number to use for the TCP proxy server. 6. Click Save. After you finish: • In the Windows Services, restart the BES10 – BlackBerry Secure Connect Service. • 106 Configure your organization's firewall to communicate with the BlackBerry Infrastructure over port 3101 to the domain .bbsecure.com, where is the appropriate country code defined by the ISO Standard. Configuration Guide Setting up Universal Device Service components For more information about domains and IP addresses to use in your firewall configuration, visit www.blackberry.com/go/kbhelp to read article KB34193. 107 Configuration Guide Setting up Universal Device Service components Configure the HTTP or HTTPS proxy server settings If you do not want the Core Module to have direct access to the Internet, you can configure the Core Module to connect to the BlackBerry Infrastructure through an HTTP or HTTPS proxy server. The connection between the Core Module and the HTTP or HTTPS proxy server supports basic, digest, NTLM, and Kerberos authentication. 1. In the Administration Console, on the menu bar, click Settings. 2. In the left pane, click HTTP or HTTPS Proxy. 3. Select the Enable proxy check box. 4. In the Server name or IP address field, type the server name or IP address of the HTTP or HTTPS proxy server. 5. In the Port number field, type the port number. 6. If you want to enable authentication for the HTTP or HTTPS proxy server, select the Authentication required check box. Type the username and password. 7. Click Save. 108 Configuration Guide Setting up Universal Device Service components Configure SMTP server settings You can configure SMTP settings to specify the server name or IP address of the messaging server in your organization's environment. The Universal Device Service uses SMTP to send device activation emails. The Universal Device Service can also use SMTP to send email messages about device compliance issues, if you choose to enable this option. 1. In the Administration Console, on the menu bar, click Settings > SMTP Server. 2. Select the Enable SMTP check box. 3. In the Server name or IP address field, type the server name or IP address of the messaging server. 4. In the Port number field, type the port number. 5. In the Authentication type drop-down list, perform one the following actions: 6. • Click Credentials and type the username and password to authenticate with the SMTP server. In the Handshake type drop-down list, select a type of handshake. • Select None. If you select this option, verify that the SMTP server allows anonymous access. If the SMTP server uses SSL, select the SSL check box and select an SSL type in the SSL type drop-down list. If the SMTP server uses a self-signed SSL certificate, import the SSL certificate to the Windows certificate store on the computer that hosts the Core Module. 7. Click Test if you want to test the connection to the SMTP server and send a test email message. 8. Click Save. After you finish: To allow the Universal Device Service to send activation emails to users, configure your organization's messaging server to allow anonymous users to send messages using SMTP. For instructions, visit www.blackberry.com/go/ kbhelp to read article KB32580. 109 Configuration Guide Setting up Universal Device Service components Configuring how the Universal Device Service contacts devices that are not responding When an Android device or an iOS device stops responding, the Universal Device Service waits 60 seconds then tries to contact the device. If the device does not respond, the Universal Device Service tries to contact the device every 60 seconds. The Universal Device Service always waits 60 seconds before making the first attempt to contact a device that is not responding. By adding a contact delay multiplier, you can increase the contact delay for any subsequent attempts. You might want to increase the contact delay to avoid performance issues that can occur when the Universal Device Service makes repeated attempts to contact devices that are not responding. When you add a contact delay multiplier, you specify a number. The contact delay for subsequent attempts is 60 seconds multiplied by the number that you specify. For example, if you specify a multiplier of 2, the first attempt is made after 60 seconds, and subsequent attempts are made every 120 seconds (2 x 60 seconds). If you want to apply different delay periods for subseqent attempts, you can add several contact delay multipliers. For example, if you add three multipliers with values of 1, 2, and 3, the following occurs: • The Universal Device Service waits 60 seconds and then tries to contact the device. • If the device does not respond, the Universal Device Service waits 60 seconds and then tries to contact the device again (1 x 60 seconds). • If the device does not respond, the Universal Device Service waits 120 seconds and then tries to contact the device again (2 x 60 seconds). • If the device does not respond, the Universal Device Service waits 180 seconds and then tries to contact the device again (3 x 60 seconds). • If the device does not respond, the Universal Device Service and waits 180 seconds for all subsequent attempts (3 x 60 seconds). Configure how the Universal Device Service contacts devices that are not responding 1. In the Administration Console, on the menu bar, click Settings. 2. In the left pane, click Push Server. 3. Click the + icon to add a contact delay multiplier. 110 Configuration Guide Setting up Universal Device Service components 4. In the Contact delay multiplier field, type the multiplier that BlackBerry Enterprise Service 10 uses to calculate the contact delay. 5. If you want to add more than one multiplier, repeat steps 3 and 4. 6. Click Save. 111 Configuration Guide Setting up Universal Device Service components Enabling the Secure Work Space for iOS devices and Android devices The Secure Work Space is a containerization, app wrapping, and secure connectivity option for iOS and Android devices. It ensures that personal and work information and applications are kept separate on devices by creating a personal space and a work space, and providing full management of the work space. Before you can assign a work space profile to user accounts, you must complete the following tasks: • Verify that you have BlackBerry Enterprise Service 10 version 10.1.1 or later. • Verify that you have Microsoft Exchange Server with Exchange ActiveSync (for more information, visit docs.blackberry.com/BES10 to see the BlackBerry Enterprise Service 10 Compatibility Matrix). • On the Microsoft Exchange Server CAS, verify that you have Basic authentication and Windows authentication enabled. For more information, visit www.blackberry.com/go/kbhelp to read article KB34664. • In BlackBerry Management Studio, add Secure Work Space licenses. • In the Universal Device Service administration console, enable and test the work space connection. • For iOS devices, configure the BlackBerry Work Connect Notification Service in the Universal Device Service administration console. For more information about setting up the work space for iOS and Android devices, visit docs.blackberry.com/BES10 to read the Universal Device Service Advanced Administration Guide. Related information Enable and test the work space connection, 112 Configure the BlackBerry Work Connect Notification Service, 115 Enable and test the work space connection You must enable the work space connection before you can assign a work space profile to user accounts. 1. In the Administration Console, click Settings. 2. In the left pane, click Work space. 3. Verify that the work space is enabled and the connection status is Successful. 4. Optionally, click Test connection to test the work space connection. 112 Configuration Guide Setting up Universal Device Service components Importing the root certificate of the Universal Device Service to the Microsoft Exchange Server The BlackBerry Work Connect Notification Service provides new or changed email and organizer notifications to iOS devices that are work space-enabled. To support the BlackBerry Work Connect Notification Service, BlackBerry Enterprise Service 10 registers with your organization's Microsoft Exchange Server on behalf of device users to receive new mail notifications. The Microsoft Exchange Server must establish an SSL connection with BlackBerry Enterprise Service 10. To enable an SSL connection, you must export the root certificate of the Universal Device Service and import it into the Trusted Root Certification Authorities certificate store on the computer that hosts the Microsoft Exchange Server. Export the root certificate of the Universal Device Service 1. On the computer that hosts the BlackBerry Enterprise Service 10 core components, open the Microsoft Management Console. If a Windows message appears and requests permission to make changes to the computer, click Yes. 2. Click Console Root. 3. Click File > Add/Remove Snap-in. 4. In the Available snap-ins list, click Certificates (Local computer). Click Add. 5. In the Certificates snap-in dialogue, select the Computer account option. Click Next. 6. In the Select Computer dialogue, select the Local computer option. Click Finish. 7. Click OK. 8. Expand Certificates (Local Computer) > Personal. Click Certificates. 9. Right-click RIM UDS SERVER ROOT . Click All Tasks > Export. 10. In the Certificate Export Wizard, click Next. 11. When prompted about whether to export the private key with the certificate, select No, do not export the private key. Click Next. 12. When prompted to select the file format, select the DER encoded binary X.509 option. Click Next. 13. Click Browse. 14. In the File name field, type a name for the certificate. Navigate to the location where you want to save the certificate. Click Save. 15. Click Next. 16. Click Finish. Click OK. After you finish: • Repeat this task for each instance of the core components in the BlackBerry Enterprise Service 10 domain. 113 Configuration Guide Setting up Universal Device Service components • Transfer the certificate (or certificates) to the computer that hosts your organization’s Microsoft Exchange Server. • On the computer that hosts the Microsoft Exchange Server, import the Universal Device Service root certificate (or certificates) into the Trusted Root Certification Authorities certificate store. Import the root certificate of the Universal Device Service into the Trusted Root Certification Authorities certificate store Before you begin: Export the Universal Device Service root certificate and transfer the certificate to the computer that hosts your organization’s Microsoft Exchange Server. 1. On the computer that hosts your organization's Microsoft Exchange Server, open the Microsoft Management Console. If a Windows message appears and requests permission to make changes to the computer, click Yes. 2. Click Console Root. 3. Click File > Add/Remove Snap-in. 4. In the Available snap-ins list, click Certificates (Local computer). Click Add. 5. In the Certificates snap-in dialogue, select the Computer account option. Click Next. 6. In the Select Computer dialogue, select the Local computer option. Click Finish. 7. Click OK. 8. Expand Certificates (Local Computer) > Trusted Root Certification Authorities. 9. Right-click Certificates. Click All Tasks > Import. 10. In the Certificate Import Wizard, click Next. 11. Click Browse. Navigate to and select the Universal Device Service root certificate that you exported. Click Open. 12. Click Next. 13. Verify that Place all certificates in the following store is selected. Click Next. 14. Click Finish. Click OK. After you finish: • Repeat this task for each Universal Device Service root certificate that you exported. • 114 If your organization uses Microsoft Exchange Server 2007 or 2010 with a CAS array, repeat this task on each server in the array. If your organization uses Microsoft Exchange Server 2013, repeat this task on each Mailbox server. Configuration Guide Setting up Universal Device Service components Configure the BlackBerry Work Connect Notification Service The BlackBerry Work Connect Notification Service provides new or changed email and organizer notifications to iOS devices that are work space-enabled. Since iOS devices do not allow apps to run in the background (with specific exceptions such as the default messaging app), work space apps receive new data only if the app is open or if the notification comes from the APNs. The BlackBerry Work Connect Notification Service receives notifications of new data from third-party applications such as messaging servers or web servers and sends notifications through the BlackBerry Infrastructure to the APNs. The APNs notifies the Work Connect app on the device. Before you begin: • Configure a Microsoft Exchange account with permissions to impersonate all users. BlackBerry Enterprise Service 10 can use this account to request and receive notifications from the Microsoft Exchange Server when new or updated items are available in a user's mailbox. For more information about configuring an impersonation account on Microsoft Exchange 2007, Microsoft Exchange 2010, or Microsoft Exchange 2013 (CU2 or later), visit www.blackberry.com/go/ kbhelp to read article KB34664. • Import the root certificate of the Universal Device Service to the Microsoft Exchange Server. For instructions, see Importing the root certificate of the Universal Device Service to the Microsoft Exchange Server. 1. In the Administration Console, on the menu bar, click Settings. 2. In the left pane, under Gatekeeping, perform one of the following tasks: 3. • Beside ActiveSync configuration, click the + sign to create a new Exchange ActiveSync configuration. • Select an existing Exchange ActiveSync configuration that was configured for gatekeeping. If you create a new configuration, perform the following tasks: a. Clear the check box beside Use Microsoft ActiveSync gatekeeping. b. In the username field, type the domain name and the username using the following format: domain_name \username and type the password for the Microsoft Exchange account that has impersonation permissions. 4. Select Use Exchange Web Services to monitor notifications. 5. Type the Microsoft Exchange Web Services address. 6. 7. Optionally, select Use HTTP proxy server and perform the following tasks: a. Type the HTTP proxy address. b. Optionally, select the Authentication checkbox, and type the username and password for the HTTP proxy server. Select the version of the Microsoft Exchange Server from the drop-down list. 115 Configuration Guide Setting up Universal Device Service components If your organization uses Microsoft Exchange Server 2013 or Microsoft Office 365, select Exchange 2010 in the dropdown list. 8. Click Test Connection to validate the connection. Related information Importing the root certificate of the Universal Device Service to the Microsoft Exchange Server, 113 Configure the standby instance to support email notifications for work space-enabled iOS devices If your organization’s domain is configured for high availability and supports Secure Work Space for iOS devices, complete the following instructions. This task allows iOS device users to continue receiving email notifications after a high availability failover. 1. Install or upgrade the standby instance of the BlackBerry Enterprise Service 10 components. 2. On the computer that hosts the primary instance, verify that Secure Work Space is enabled. 3. On the computer that hosts the primary instance, navigate to :\Program Files (x86)\Research In Motion \BlackBerry Enterprise Service 10\RIM.BUDS.BWCN\conf\ or :\Program Files (x86)\Research In Motion \BlackBerry Device Service\RIM.BUDS.BWCN\conf\. 4. Copy asg.xml. Transfer the copy to the corresponding file path on the computer that hosts the standby instance. Replace the existing asg.xml file. 5. On the computer that hosts the standby instance, in a text editor, open asg.xml. Update the restServiceUrl value with the FQDN for the standby instance. For example, change to . 6. Save and close asg.xml. 7. On the computer that hosts the standby instance, in the Windows Services, restart the BES10 - Scheduler service. 116 Configuration Guide Setting up Universal Device Service components Understanding and installing APNs certificates About APNs You must use the APNs to manage iOS devices in BlackBerry Enterprise Service 10 domains. The Universal Device Service requires the APNs to manage iOS devices and send push notifications to iOS devices. When the Universal Device Service needs to send information to an iOS device, it sends a notification to the APNs. The APNs authenticates the Universal Device Service server and then sends the notification to the iOS device. The iOS device receives the notification from the APNs and retrieves the information from the Universal Device Service. To use APNs, your organization must obtain an APNs certificate for each Universal Device Service deployment. For example, if your organization includes a production deployment and a testing deployment, you need two APNs certificates. You must obtain the APNs certificate through the Universal Device Service interface. When you renew the APNs certificate, you must use the same Apple ID that you used when the certificate was created. The Google Chrome browser and Safari browser provide optimal support for displaying functionality. CAUTION: You must renew the APNs certificate before it expires (each certificate expires after one year). If the certificate expires, or if you insert a new APNs certificate instead of renewing the old one, iOS devices do not receive commands, and users must reactivate their devices. Note: For more information, visit https://developer.apple.com to read Issues with Sending Push Notifications, in article TN2265. Request a signed CSR from BlackBerry You must request a signed CSR from BlackBerry before you can obtain an APNs certificate. When the request is processed, BlackBerry sends an email message to the address that you provide. Processing can take up to one business day from the time that you submit the request. 1. In the Administration Console, on the menu bar, click Settings > APNs Certificate. 2. In the APNs Certificate Status window, click Get APNs Certificate. 3. In the Provide your company information to RIM window, type information about your organization: a. In the Common name field, type a name for the certificate. b. In the Company name field, type the name of your organization. 117 Configuration Guide Setting up Universal Device Service components c. In the Organizational unit field, type the name of the department that you work in. d. In the City field, type the name of the city or town that your organization is located in. e. In the State or province field, type the state or province that your organization is located in. f. In the Country or region drop-down list, select the country or region that your organization is located in. g. In the Contact name field, type the name of your organization's Universal Device Service administrator. h. In the Contact email address field, type the email address of your organization's Universal Device Service administrator. i. In the Contact phone field, type the phone number of your organization's Universal Device Service administrator. 4. Click Submit to RIM. 5. Click OK. Check the status of your request for a signed CSR from BlackBerry After you submit your organization's information to BlackBerry, in most cases, BlackBerry can verify the information within one business day. When the request is processed, BlackBerry sends an email message to the address that you provided in the request, or you can check the status in the Administration Console. 1. In the Administration Console, on the menu bar, click Settings > APNs Certificate. 2. Click Get APNs Certificate. The Get an APNs Certificate page appears, with a message indicating the status of your request: • Your organization's information was verified by BlackBerry. The signed CSR is now available for you to download. • Your organization’s information is still in the process of being verified by BlackBerry. • Your organization's information could not be verified by BlackBerry. Make sure that the information that you provided is correct by clicking on the Has your company information changed? link. BlackBerry tries to contact you using the information that you provided. After you resubmit your organization’s information, verification by BlackBerry requires an additional business day. Download the signed CSR from BlackBerry and save it 1. In the Step 1 | Download the signed CSR from RIM section, click Download Signed CSR. You receive a prompt to download the resulting signed CSR file (.scsr file). 2. Click Save to save the signed CSR file (.scsr file) to your computer. 118 Configuration Guide Setting up Universal Device Service components Request an APNs certificate from Apple 1. In the Step 2 | Request an APNs certificate from Apple section, click the link to the Apple Push Certificates Portal. Follow the instructions to obtain an APNs certificate. If you want to renew the APNs certificate, ensure that you select Renew in the Apple Push Certificates Portal. 2. In the Apple Push Certificates Portal, upload the most recent signed CSR file (.scsr file) from BlackBerry when you receive a prompt. 3. Download the APNs certificate file (.pem file) when you receive a prompt. 4. Save the .pem file to your computer. Upload the APNs certificate 1. In the Step 3 | Upload an APNs certificate section, browse to the APNs certificate file (.pem file). 2. In the Private key password field and Confirm password field, type a password for the certificate's private key. 3. Click Install APNs Certificate to upload the APNs certificate (.pem file). 4. Download the .pfx file when you receive a prompt. 5. Whether you want to obtain a new certificate or renew an existing certificate, save the .pfx file to your computer. Import the .pfx file into the certificate store In the Step 4 | Import the .pfx file into the certificate store section, you can use the Certificate Import Wizard in the Microsoft Management Console to import the .pfx file into the certificate store of the computer that hosts the core components. If you configured BlackBerry Enterprise Service 10 for high availability, repeat this task on both the primary instance and the standby instance. 1. To open the Microsoft Management Console, on the Start menu, select Run. 2. In the Open field, type mmc. Click OK. 3. On the File menu, select Add/Remove Snap-in. 4. In the Add or Remove Snap-ins window, in the Available snap-ins list, select Certificates. 5. Click Add. 6. In the Certificates snap-in dialog box, select Computer account. 7. Click Next. 8. Select Local computer. 119 Configuration Guide 9. Setting up Universal Device Service components Click Finish. 10. In the Add or Remove Snap-ins window, click OK. 11. In the Microsoft Management Console, expand Certificates (Local Computer) > Personal. 12. Right-click Certificates. Select All Tasks. 13. Click Import. 14. In the Certificate Import Wizard, click Next. 15. Browse to the .pfx file. In the file type drop-down list, at the bottom-right of the Open window, select Personal Information Exchange (*.pfx, *.p12) so that .pfx files appear. 16. Click Next. 17. Type the password for the certificate. 18. Click Next. 19. Select Place all certificates in the following store. 20. Browse to the Personal certificate store. 21. Click Next. 22. Click Finish. Change the private key access permissions of the certificate 1. In the right pane, right-click the certificate you just installed. 2. Select All Tasks. 3. Select Manage Private Keys. 4. In the Permissions window, click Add. 5. In the Select Users or Groups window, in the Enter the object names to select field, type Authenticated Users. 6. Click Check Names. Click OK. 7. In the Permissions window, click Authenticated Users. 8. Select the check box to allow read permission. Click OK. 120 Configuration Guide Setting up Universal Device Service components Verify the status of the APNs certificate The APNs Certificate Status page shows the status of the APNs certificate (such as Not Installed, Installed, or Expired). If the APNs certificate is installed, the page also shows the certificate's expiry date. In the Administration Console, on the menu bar, click Settings > APNs Certificate. Test the APNs connection If an APNs certificate is installed, you can test the connection to the APNs server. The test confirms that the certificate is valid, and that the APNs server can be contacted. 1. In the Administration Console, on the menu bar, click Settings > APNs Certificate. 2. Click Test Connection. Troubleshooting APNs The system encountered an error. Check your network connection and try again. Description If you receive an error message when you request a signed CSR from BlackBerry, you should make sure that the Administration Console can communicate with BlackBerry's web service. Possible cause Possible solution Firewall not configured correctly. Verify that the firewall is configured so that the Administration Console can generate a Certificate Signing Request during the configuration of the APNs certificate. You are using a proxy server for To confirm the settings, see Configure the HTTP or HTTPS proxy server settings. outbound HTTP/HTTPS traffic. 121 Configuration Guide Setting up Universal Device Service components The APNs certificate does not match the CSR. Provide the correct APNs file (.pem) or submit a new CSR. Description You may receive an error message when you upload an APNs certificate to the Universal Device Service if you did not upload the most recently signed CSR file from BlackBerry to the Apple Push Certificates Portal. Possible solution If you downloaded multiple CSRs from BlackBerry, only the last one that you downloaded is valid. If you know which CSR is the most recent, return to the Apple Push Certificates Portal and upload it. If you are not sure which CSR is the most recent, request a new one from BlackBerry, then return to the Apple Push Certificates Portal and upload it. I cannot set the access permissions for the certificate's private key If you do not see the option to set the access permissions for the certificate's private key, make sure you imported the .pfx file, not the .pem file. I cannot activate iOS devices Possible cause If you are unable to activate iOS devices, the APNs certificate may not be correctly installed. Possible solution Perform one or more of the following actions: • Make sure that the APNs certificate status window shows that the certificate is installed • Make sure that you installed the .pfx file into the certificate store, and not the .pem file • Make sure that you set the private key access permissions of the certificate to Authenticated Users • Restart Microsoft IIS 122 Configuration Guide Setting up Universal Device Service components Configuring device communication settings Polling intervals for device communication settings You can change specific settings for polling intervals for device communication. Component Description Device application list This setting specifies how often, in seconds, the Universal Device Service polls the device to retrieve the list of applications that are installed on the device. Device information This setting specifies how often, in seconds, the Universal Device Service polls the device to retrieve information such as the amount of available memory on the device or the wireless service provider that provides service for the device. Configure the device communication settings You can configure the default settings that the Universal Device Service uses to get information about current device settings. 1. In the Administration Console, on the menu bar, click Settings > Communication. 2. Select a unit of time and type the polling intervals for the device communication settings. 3. Click Save. 123 Configuration Guide Setting up Universal Device Service components Installing an SSL certificate for the Communication Module When you install BlackBerry Enterprise Service 10, the setup application generates a certificate for the Communication Module. You can also replace the default certificate with one that is issued by a CA and is already trusted by iOS devices and Android devices. When users activate devices, before they enter their usernames and passwords, the BES12 Client prompts them to accept or decline the SSL certificate for the Communication Module. The prompt includes information about the SSL certificate including the Common Name, fingerprint, and whether the certificate is trusted or untrusted. If users click Accept, the certificate is installed on the devices, and the activation process continues. If users click Decline, they are returned to the previous activation screen. If you do not replace the default SSL certificate, or if you install a certificate that is not signed by a CA that the device trusts, the certificate is displayed in the user prompt as untrusted. To ensure that the user accepts a certificate for a valid server, you can ask users to compare the certificate information displayed in the prompt with information that you send to users in the activation email. If the information matches, users can accept the untrusted certificate and proceed with the activation process. Alternatively, you can ask users to install the untrusted certificate on their devices as a trusted root certificate before they activate their devices. Users can download the SSL certificate to their devices from an internal website that is created when you install BlackBerry Enterprise Service 10 (//). If users install the untrusted certificate before activating their devices, the certificate is displayed in the prompt as trusted. If you replace the default SSL certificate with a certificate that is signed by a trusted CA, the certificate is displayed in the prompt as trusted. Install or update an SSL certificate for the Communication Module You can install an SSL certificate to replace the default self-signed certificate that is installed automatically when you install BlackBerry Enterprise Service 10. If you replace the default certificate, the new certificate might need to be updated again in the future. You must update the SSL certificate at least 14 days before the certificate expiry date. If you update the SSL certificate after that time, devices do not reactivate automatically and users must activate the devices manually. Before you begin: If you do not already have an SSL certificate, see, Requesting an SSL certificate for the Communication Module. 1. On a computer that hosts an instance of the BlackBerry Enterprise Service 10 core components, right-click the BES10 Configuration Tool and select Run as administrator. 2. On the Communication Module tab, select the location for the SSL certificate, and type the password. 124 Configuration Guide Setting up Universal Device Service components 3. Click OK. 4. Restart Microsoft IIS on the computer. 5. Repeat steps 1 to 4 for each instance of the BlackBerry Enterprise Service 10 core components. After you finish: • Ensure that you have the SSL certificate's root CA certificate and any intermediate CA certificates in the certificate store on each computer that hosts an instance of the BlackBerry Enterprise Service 10 core components. • When users open the BES12 Client on their devices, the devices reactivate and the SSL certificate is updated. Requesting an SSL certificate for the Communication Module You can request an SSL certificate to replace the self-signed SSL certificate that is installed by default when you install BlackBerry Enterprise Service 10. You should use an SSL certificate that is issued by a CA that is already trusted by iOS devices and Android devices. For more information about the certificates that are trusted by iOS devices, visit support.apple.com to read article HT4415 for iOS 4 or article HT5012 for iOS 5. For more information about the certificates that are trusted by Android devices, check the “Trusted CA” section of the Android device. Create a CSR You must perform the following actions on the computer that hosts Microsoft IIS. 1. Open Internet Information Services (IIS) Manager. 2. Click the server name. 3. Double-click Server Certificates. 4. Click Create Certificate Request. 5. Specify the required information for the certificate. Click Next. In the Common name field, to request a wildcard SSL certificate that can be used on each computer that hosts an instance of the BlackBerry Enterprise Service 10 core components, the common name must start with the wildcard character that is denoted by an asterisk (*). For example, *.example.com. The Communication Module supports SSL certificates that match only a single level of subdomain as defined in the RFC 2818 standard. For example, *.example.com matches domain.example.com but not mdm.domain.example.com. 6. Select Microsoft RSA SChannel Cryptographic Provider and the bit length. Click Next. 7. Specify a location and file name for the CSR. Click Finish. After you finish: Submit the CSR to a CA 125 Configuration Guide Setting up Universal Device Service components Submit the CSR to a CA The CSR that you create must be signed with the SHA-2 algorithm by a CA. 1. Submit the CSR to an external CA or your organization's CA. Contact the CA for details and follow the instructions. 2. Save the signed certificate that you receive from the CA. After you finish: • Copy the signed certificate to the computer that hosts Microsoft IIS. • Complete the CSR Complete the CSR You must perform the following actions on the computer that hosts Microsoft IIS. 1. Open Internet Information Services (IIS) Manager. 2. Click the server name. 3. Double-click Server Certificates. 4. Click Complete Certificate Request. 5. Specify the location of the signed certificate and in the Friendly name field, type a display name. 6. Click OK. 7. Double-click the certificate that you installed. 8. In the Certificate window, on the Details tab, click Copy to File. 9. In the Certificate Export Wizard, click Next. 10. Select Yes, export the private key. Click Next. 11. Select Personal Information Exchange - PKCS # 12 (.PFX). Click Next. 12. Type and confirm a password. Click Next. 13. Specify a location and file name for the SSL certificate. Click Next. 14. Click Finish. After you finish: Copy the .pfx file for the SSL certificate, and the .cer, .crt, or .der file for the CA certificate(s) to each computer that hosts an instance of the BlackBerry Enterprise Service 10 core components. 126 5 Setting up BlackBerry Management Studio Before you can activate and manage devices using BlackBerry Management Studio, you may need to configure BlackBerry Management Studio so that it can run in your organization's environment. You can add additional domains, change port numbers, set search options, and more. Configuration Guide Setting up BlackBerry Management Studio Adding additional domains to BlackBerry Management Studio You can configure BlackBerry Management Studio to access and manage the devices in other BlackBerry domains in your organization’s environment. You can add any of the following domains: • BlackBerry Enterprise Service 10 version 10.1 or later: BlackBerry Device Service and Universal Device Service • BlackBerry Device Service 6.0 or later • Universal Device Service 6.0 or later • BlackBerry Enterprise Server 5.0 SP3 or later • BlackBerry Enterprise Server Express 5.0 SP3 or later To add a BlackBerry Device Service domain, a BlackBerry Enterprise Server domain, or a BlackBerry Enterprise Server Express domain, you use the BES10 Configuration Tool to specify the FQDN and port number of the BlackBerry Administration Service (for example, https://DOMAIN.EXAMPLE.COM:38443). If you configured the BlackBerry Administration Service for high availability, specify the BlackBerry Administration Service pool name. To add a Universal Device Service domain, you specify the FQDN and port of the BlackBerry Web Services (for example, https://DOMAIN.EXAMPLE.COM:18082). If the certificate for a domain is expired or corrupt, you can use the BES10 Configuration Tool to recertify the domain. Note: You can use BlackBerry Management Studio to manage licenses for BlackBerry Enterprise Service 10 version 10.1 or later only. For other domains, you must manage licenses using the administration console for that domain. Default port numbers for supported domains When you specify a domain that you want BlackBerry Management Studio to access, you must specify the appropriate port number for the component that BlackBerry Management Studio must connect with. The following table lists the appropriate component and default port number for each domain. Domain Component to connect with Default port number BlackBerry Enterprise Service 10 version 10.1 or later: BlackBerry Device Service BlackBerry Administration Service 38443 BlackBerry Web Services 18082 BlackBerry Device Service 6.0 or later BlackBerry Enterprise Service 10 version 10.1 or later: Universal Device Service 128 Configuration Guide Setting up BlackBerry Management Studio Domain Component to connect with Default port number Universal Device Service 6.0 or later BlackBerry Web Services 8082 BlackBerry Enterprise Server 5.0 SP3 or later BlackBerry Administration Service 443 BlackBerry Enterprise Server Express 5.0 SP3 or later BlackBerry Administration Service 3443 Note: If you upgrade the Universal Device Service 6.x to BlackBerry Enterprise Service 10 version 10.1 or later, and you do not change the default port number, the BlackBerry Web Services use port 8082. Add, remove, or recertify a domain Before you begin: If you configured a BlackBerry Administration Service pool, verify that all instances in the pool use the same SSL certificate. For more information, see the BlackBerry Enterprise Service 10 Configuration Guide or the BlackBerry Enterprise Server Administration Guide. 1. On the computer that hosts the BlackBerry Enterprise Service 10 core components, click Start > All Programs > BlackBerry Enterprise Service 10 > Configuration Tool for BlackBerry Enterprise Service 10. If a Windows message appears and requests permission to make changes to the computer, click Yes. 2. On the BlackBerry Management Studio tab, complete any of the following tasks: Task Steps Add a domain 1. Click Add. 2. In the Friendly name field, type a unique name for the domain that you want to add. 3. In the URL field, type the FQDN and port number of the domain (for example, https://DOMAIN.EXAMPLE.COM:). If you configured a BlackBerry Administration Service pool, specify the pool name. 4. Click OK. 5. In the Trust Certificate dialog box, review the certificate details. If you trust the certificate, click Yes. 6. Click OK. Recertify a domain 1. In the Friendly name column, click the domain that you want to recertify. 2. Click Recertify. 3. In the Trust Certificate dialog box, review the certificate details. If you trust the certificate, click Yes. 129 Configuration Guide Task Setting up BlackBerry Management Studio Steps 4. Click OK. Remove a domain 1. In the Friendly name column, click the domain that you want to remove. 2. Click Remove. 3. Click OK. 3. Click Apply. Click OK. After you finish: • On each computer that hosts BlackBerry Enterprise Service 10 components, in the Windows Services, restart the BES10 - BlackBerry Management Studio service and the BES10 Self-Service service. • 130 When you add a Universal Device Service domain to BlackBerry Management Studio, you must add the BlackBerry Device Service domain that was installed with the Universal Device Service. BlackBerry Management Studio uses the BlackBerry Device Service instance to access licensing data for both domains. Configuration Guide Setting up BlackBerry Management Studio Change the listening port for BlackBerry Management Studio You can use the BES10 Configuration Tool to change the listening port for BlackBerry Management Studio. 1. On a computer that hosts a BlackBerry Enterprise Service 10 component, on the taskbar, click Start > All Programs > BlackBerry Enterprise Service 10 > Configuration Tool for BlackBerry Enterprise Service 10. 2. If a Windows message appears and requests permission to make changes to the computer, click Yes. 3. On the Port Settings tab, in the Listening port field, type the port number. 4. Click Apply. Click OK. 5. To close the BES10 Configuration Tool, click OK. After you finish: In the Windows Services, restart the BES10 - BlackBerry Management Studio service. 131 Configuration Guide Setting up BlackBerry Management Studio Change the search settings for BlackBerry Management Studio You can use the BES10 Configuration Tool to change the maximum number of user accounts to display when you perform a search, and whether or not to display the list of user accounts when you log in. 1. On a computer that hosts a BlackBerry Enterprise Service 10 component, on the taskbar, click Start > All Programs > BlackBerry Enterprise Service 10 > Configuration Tool for BlackBerry Enterprise Service 10. 2. If a Windows message appears and requests permission to make changes to the computer, click Yes. 3. On the Search Settings tab, perform any of the following tasks: Task Steps Change the maximum number of user accounts to display 1. In the Maximum number of search results field, type the maximum number of user accounts. Hide the list of user accounts when you log in 1. Select the check box under Quick login. 4. Click Apply. Click OK. 5. To close the BES10 Configuration Tool, click OK. After you finish: In the Windows Services, restart the BES10 - BlackBerry Management Studio service. 132 Configuration Guide Setting up BlackBerry Management Studio Change the directory support for creating users in BlackBerry Management Studio You can use the BES10 Configuration Tool to select whether administrators can create user accounts from either the company directory or a local directory in BlackBerry Management Studio. 1. On a computer that hosts a BlackBerry Enterprise Service 10 component, on the taskbar, click Start > All Programs > BlackBerry Enterprise Service 10 > Configuration Tool for BlackBerry Enterprise Service 10. 2. If a Windows message appears and requests permission to make changes to the computer, click Yes. 3. On the Directory Support tab, perform one of the following actions: • To create directory users in BlackBerry Management Studio, click Configure company directory support. • To create local users in BlackBerry Management Studio, click Configure local user support. 4. Click Apply. Click OK. 5. To close the BES10 Configuration Tool, click OK. After you finish: In the Windows Services, restart the BES10 - BlackBerry Management Studio service. 133 Configuration Guide Setting up BlackBerry Management Studio Changing the label for a Service in BlackBerry Management Studio BlackBerry Management Studio displays the label that you specified for each BlackBerry Device Service and Universal Device Service during the installation process. The label should be a display name that allows you to easily identify the different server instances in your organization's environment. You can use the BES10 Configuration Tool to change the label for a server instance in your organization's BlackBerry Enterprise Service 10 domain. 134 Configuration Guide Product documentation Product documentation 6 To read the following guides or other related materials, visit docs.blackberry.com/BES10. Category Resource Description Overview Introduction to BlackBerry Enterprise Service 10 • Quick, visual introduction to BlackBerry Enterprise Service 10 at a high level What's New in BlackBerry Enterprise Service 10 Quick Reference • Summary of new features, enhancements, and updates in BlackBerry Enterprise Service 10 BlackBerry Enterprise Service 10 Product Overview • Introduction to BlackBerry Enterprise Service 10 and its features • Finding your way through the documentation • Architecture Enterprise Solution Comparison • Chart Comparison of what features are available across different BlackBerry enterprise solutions Supported Features by Device Type • Comparison of what features are supported for each type of device in BlackBerry Enterprise Service 10 BlackBerry Enterprise Service 10 Architecture and Data Flow Quick Reference Guide • Descriptions of BlackBerry Enterprise Service 10 components • Descriptions of activation and email data flows for different types of devices Release notes BlackBerry Enterprise Service 10 Release Notes • Descriptions of known issues and potential workarounds Installation and upgrade BlackBerry Enterprise Service 10 Compatibility Matrix • Software that is compatible with BlackBerry Enterprise Service 10 Configuration Guide Category Configuration Product documentation Resource Description BlackBerry Enterprise Service 10 Performance Calculator • Tool to estimate the hardware required to support a given workload for BlackBerry Enterprise Service 10 BlackBerry Enterprise Service 10 Installation Guide • System requirements • Installation instructions BlackBerry Enterprise Service 10 Upgrade Guide • System requirements • Upgrade instructions BlackBerry Enterprise Service 10 Licensing Guide • Descriptions of different types of licenses • Instructions for activating and managing licenses in BlackBerry Management Studio • Instructions for how to configure server components before you start administering users and their devices BlackBerry Enterprise Service 10 Configuration Guide Administration BlackBerry Management Studio • Basic Administration Guide • Instructions for creating and managing user accounts in multiple Services • Instructions for managing multiple devices for each user account BlackBerry Device Service • Advanced Administration Guide Advanced administration for BlackBerry 10 devices and BlackBerry PlayBook tablets • Instructions for creating user accounts, groups, roles, and administrator accounts • Instructions for activating devices • Instructions for creating and sending IT policies and profiles • Instructions for managing apps on devices Universal Device Service • Advanced Administration Guide 136 Basic administration for all supported device types, including BlackBerry 10 devices, BlackBerry PlayBook tablets, iOS devices, Android devices, and BlackBerry 7.1 and earlier devices Advanced administration for iOS and Android devices Configuration Guide Category Security Product documentation Resource Description • Instructions for creating user accounts, groups, and administrator accounts • Instructions for activating devices • Instructions for creating and sending IT policies and profiles • Instructions for managing apps on devices • Descriptions of IT policy rules for iOS and Android devices BlackBerry Device Service Policy Reference Spreadsheet • Descriptions of IT policy rules for BlackBerry 10 devices and BlackBerry PlayBook tablets BlackBerry Device Service Solution Security Technical Overview • Description of the security maintained by the BlackBerry Device Service, BlackBerry Infrastructure, and BlackBerry 10 devices and BlackBerry PlayBook tablets to protect data and connections • Description of the BlackBerry 10 OS • Description of the BlackBerry PlayBook OS • Description of how work data is protected on BlackBerry 10 devices and BlackBerry PlayBook tablets when you use the BlackBerry Device Service • Description of the security maintained by the Universal Device Service, BlackBerry Infrastructure, and work spaceenabled devices to protect work space data at rest and in transit • Description of how work space apps are protected on work space-enabled devices when you use the Universal Device Service Secure Work Space for iOS and Android Security Note 137 Configuration Guide Provide feedback To provide feedback on this content, visit www.blackberry.com/docsfeedback. 138 Provide feedback 7 Configuration Guide Glossary Glossary 8 APN access point name BlackBerry Enterprise Service 10 databases The BlackBerry Enterprise Service 10 databases are the BlackBerry Configuration Database (associated with the BlackBerry Device Service) and the Management Database (associated with the Universal Device Service). By default, the databases are named BDSMgmt and BDSMgmt_UDS, respectively, when you install BlackBerry Enterprise Service 10. BlackBerry Enterprise Service 10 domain A BlackBerry Enterprise Service 10 domain consists of the BlackBerry Enterprise Service 10 databases and any BlackBerry Enterprise Service 10 instances that connect to them. CA certification authority CAS Client Access Server CSR certificate signing request DNS Domain Name System EJB Enterprise JavaBeans FQDN fully qualified domain name HTTPS Hypertext Transfer Protocol over Secure Sockets Layer IIS Internet Information Services JNDI Java Naming and Directory Interface LDAP Lightweight Directory Access Protocol MIB Management Information Base MMC Microsoft Management Console OID object identifier PAC Protected Access Credential PAP Push Access Protocol RMI Remote Method Invocation SCEP simple certificate enrollment protocol Configuration Guide Glossary SMTP Simple Mail Transfer Protocol (SMTP) is a TCP/IP protocol used with POP or IMAP to send and receive email messages over a network, such as the Internet. SNMP Simple Network Management Protocol SRP Server Routing Protocol SSL Secure Sockets Layer TCP Transmission Control Protocol TCP/IP Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of communication protocols that is used to transmit data over networks, such as the Internet. TLS Transport Layer Security UDP User Datagram Protocol 140 Configuration Guide Legal notice Legal notice 9 ©2015 BlackBerry. All rights reserved. BlackBerry® and related trademarks, names, and logos are the property of BlackBerry Limited and are registered and/or used in the U.S. and countries around the world. Android is a trademark of Google Inc. Apple is a trademark of Apple Inc. iOS is a trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. iOS® is used under license by Apple Inc. Kerberos is a trademark of Massachusetts Institute of Technology. Microsoft, Active Directory, ActiveSync, ActiveX, Outlook, SQL Server, Visual C++, Windows, Windows 7, Windows Vista, Windows XP, Windows Server, and Windows PowerShell are trademarks of Microsoft Corporation. All other trademarks are the property of their respective owners. This documentation including all documentation incorporated by reference herein such as documentation provided or made available on the BlackBerry website provided or made accessible "AS IS" and "AS AVAILABLE" and without condition, endorsement, guarantee, representation, or warranty of any kind by BlackBerry Limited and its affiliated companies ("BlackBerry") and BlackBerry assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect BlackBerry proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of BlackBerry technology in generalized terms. BlackBerry reserves the right to periodically change information that is contained in this documentation; however, BlackBerry makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all. This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or third-party websites (collectively the "Third Party Products and Services"). BlackBerry does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by BlackBerry of the Third Party Products and Services or the third party in any way. EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM. Configuration Guide Legal notice TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL BLACKBERRY BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH BLACKBERRY PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF BLACKBERRY PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF BLACKBERRY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, BLACKBERRY SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY. THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO BLACKBERRY AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED BLACKBERRY DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS. IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF BLACKBERRY OR ANY AFFILIATES OF BLACKBERRY HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION. Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry® Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with BlackBerry's products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with BlackBerry's products and services are provided as a convenience to you and are provided "AS IS" with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by BlackBerry and BlackBerry assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with BlackBerry. 142 Configuration Guide Legal notice The terms of use of any BlackBerry product or service are set out in a separate license or other agreement with BlackBerry applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY BLACKBERRY FOR PORTIONS OF ANY BLACKBERRY PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION. BlackBerry Limited 2200 University Avenue East Waterloo, Ontario Canada N2K 0A7 BlackBerry UK Limited 200 Bath Road Slough, Berkshire SL1 3XE United Kingdom Published in Canada 143